WordPress DirectoriesPro plugin version 1.3.45 suffers from multiple cross site scripting vulnerabilities.
ea91243869739ae676c39bebb79d51c4
Title: Reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29303
Author: Jack Misiura from The Missing Link
Website: https://www.themissinglink.com.au
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication
1. Vulnerability Description
The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection.
2. PoC
On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the _t_ parameter is set to an invalid or non-existent CSRF token.
filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal
3. Solution
The vendor provides an updated version (1.3.46) which should be installed immediately.
4. Advisory URL
https://www.themissinglink.com.au/security-advisories
Jack Misiura
Application Security Consultant
-----------
Title: Self-reflected XSS
Product: WordPress DirectoriesPro Plugin by SabaiApps
Vendor Homepage: https://directoriespro.com/
Vulnerable Version: 1.3.45
Fixed Version: 1.3.46
CVE Number: CVE-2020-29304
Author: Jack Misiura from The Missing Link
Website: https://www.themissinglink.com.au
Timeline:
2020-11-26 Disclosed to Vendor
2020-11-27 Vendor releases patched version
2020-12-07 Fix confirmed
2020-12-10 Publication
1. Vulnerability Description
The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.
2. PoC
On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header:
'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"
3. Solution
The vendor provides an updated version (1.3.46) which should be installed immediately.
4. Advisory URL
https://www.themissinglink.com.au/security-advisories