Advertisement






WordPress DirectoriesPro 1.3.45 Cross Site Scripting

CVE Category Price Severity
CVE-2020-29303 CWE-79 N/A Medium
Author Risk Exploitation Type Date
Unknown High Remote 2020-12-12
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120084

Below is a copy:

WordPress DirectoriesPro 1.3.45 Cross Site Scripting
Title: Reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29303

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection.

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the  _t_ parameter is set to an invalid or non-existent CSRF token.

filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal

 
3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

4. Advisory URL

https://www.themissinglink.com.au/security-advisories


Jack Misiura
Application Security Consultant


-----------

Title: Self-reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29304

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

 
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.

 

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header:

'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"


3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

 

4. Advisory URL

https://www.themissinglink.com.au/security-advisories

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.