Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

WordPress DirectoriesPro 1.3.45 Cross Site Scripting

Related Vulnerabilities: CVE-2020-29303   CVE-2020-29304  
Publish Date: 11 Dec 2020
Author: Jack Misiura
Source 
                							

                Title: Reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29303

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection.

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the  _t_ parameter is set to an invalid or non-existent CSRF token.

filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal

 
3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

4. Advisory URL

https://www.themissinglink.com.au/security-advisories


Jack Misiura
Application Security Consultant


-----------

Title: Self-reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29304

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

 
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication

 

1. Vulnerability Description

The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.

 

2. PoC

On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header:

'term<b>" autofocus onfocus={alert('Complex020XSS');alert(document.cookie);}//'"


3. Solution

The vendor provides an updated version (1.3.46) which should be installed immediately.

 

4. Advisory URL

https://www.themissinglink.com.au/security-advisories
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started