WordPress DirectoriesPro 1.3.45 Cross Site Scripting

WordPress DirectoriesPro 1.3.45 Cross Site Scripting: Posted Dec 11, 2020; Authored by Jack Misiura; WordPress DirectoriesPro plugin version 1.3.45 suffers from multiple cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss; advisories | CVE-2020-29303, CVE-2020-29304; SHA-256 | 6aa12eb5e2a30f4c4d114b32f8b866bc1a6a86a0191f2dd3043d5c986c598b92; Download | Favorite | View

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

Title: Reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29303

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection.

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the  _t_ parameter is set to an invalid or non-existent CSRF token.

filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal

 
3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

4. Advisory URL

https://www.themissinglink.com.au/security-advisories


Jack Misiura
Application Security Consultant


-----------

Title: Self-reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29304

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

 
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.

 

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header:

'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"


3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

 

4. Advisory URL

https://www.themissinglink.com.au/security-advisories

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

Share This

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems