User Registration < 3.0.4.2 - Admin+ Stored XSS

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PoC

1. Install and activate this plugin - https://wordpress.org/plugins/user-registration/. 2. Click “Add Form” under the plugin options. 3. Once the form is created, navigate to the form settings, and in the “Redirect URL” field, inject the following payload: javascript:alert(document.domain) and then click “Update Form.” 4. Copy the shortcode generated for the form, go to the “Page” tab, create a new page, paste the shortcode, publish the page, and visit it. 5. Now, fill out the form with any dummy data and click “Submit.” 6. This will create a new user and trigger the XSS vulnerability.