Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters



Description
An authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.
Proof of Concept
# Affected Version ~ Version: <= 3.1.3

# Reproduction Steps:

0. Auth Stored XSS in two Parameters

1. Login in WordPress and go to Plugin Email page (http://192.168.144.128/wp-admin/admin.php?page=rencontre.php&renctab=mel)

2. Under the "Introductory text for the summary email (After hello login - Before the smiles and contact requests)" & "Full text for the birthday mail (After hello pseudo)" there is a text area

3. Enter/paste the payload & save

# POC:
Prameter: textmail & textanniv
Payload: </textarea></td><script>alert('XSS')</script>//
Encoded-Payload: %3C%2Ftextarea%3E%3C%2Ftd%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%2F%2F

Affects Plugin

fixed in version 3.2

References

URL https://gist.github.com/Sathishshan/6c67d0fc2305ae87bb5179a483aa7895

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Sathish Shan
Submitter Sathish Shan
Submitter Website https://medium.com/@sathish_shan
Submitter Twitter sathishshans
Views 493
Verified No
WPVDB ID 9967

Timeline

Publicly Published 2019-08-04 (11 months ago)
Added 2019-12-08 (7 months ago)
Last Updated 2019-12-09 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin