WordPress DirectoriesPro 1.3.45 Cross Site Scripting

WordPress DirectoriesPro 1.3.45 Cross Site Scripting: Posted Dec 11, 2020; Authored by Jack Misiura; WordPress DirectoriesPro plugin version 1.3.45 suffers from multiple cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss; advisories | CVE-2020-29303, CVE-2020-29304; SHA-256 | 6aa12eb5e2a30f4c4d114b32f8b866bc1a6a86a0191f2dd3043d5c986c598b92; Download | Favorite | View

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

Title: Reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29303

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection.

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the  _t_ parameter is set to an invalid or non-existent CSRF token.

filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal

 
3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

4. Advisory URL

https://www.themissinglink.com.au/security-advisories


Jack Misiura
Application Security Consultant


-----------

Title: Self-reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29304

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

 
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.

 

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header:

'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"


3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

 

4. Advisory URL

https://www.themissinglink.com.au/security-advisories

Top Authors In Last 30 Days

Red Hat 217 files
indoushka 135 files
Ubuntu 92 files
Gentoo 33 files
Debian 27 files
Jasper Nota 25 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Google Security Research 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,110)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,913)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,631)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,781)
UNIX (9,441)
UnixWare (187)
Windows (6,676)
Other

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

Share This

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems