XSS Vulnerability Detected in Form Created by User List Widget

  • Resolved Joe Banks

    (@joenasagrc)


    8 years, 7 months ago

    Our vulnerability scanner (Netsparker Cloud) is reporting a cross-site scripting vulnerability in the form “userlist” created by User List widget.

    Site name scrubbed from below (changed to site.gov)

    Version of your plugin is current: 2.2.2

    Variable passed to form that creates XSS error.

    '"--></style></scRipt><scRipt>netsparker(0x003BC6)</scRipt>

    Request and response

    Request
GET /users/login/?'"--></style></scRipt><scRipt>netsparker(0x003BC6)</scRipt> HTTP/1.1
Cache-Control: no-cache
Referer: https://site.gov/users/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker Cloud
Host: site.gov
Cookie: wordpress_test_cookie=WP+Cookie+check
Accept-Encoding: gzip, deflate
    Response
…
en" name="wppb_login" value="true"/><input type="hidden" name="wppb_form_location" value="page"/><input type="hidden"
name="wppb_request_url" value="https://site.gov:443/users/login/?\'\"--></style></scRipt><scRipt>netsparker(0x003BC6)</scRipt>"/><input type="hidden" name="wppb_lostpassword_url" value=""/>
</form></div></div><div class="content-box red"><strong>Forget or need to reset your password?</strong>
<div class="wppb_holder" id=
…
rs_widget-2" class="widget users"><div class="widget-wrap"><h2 class="widgettitle">Current List of Site Members</h2>
<div class="wrap"><!-- form wrap -->
<form id="userlist" action="/users/login/?\'\"--></style></scRipt><scRipt>netsparker(0x003BC6)</scRipt>" method="post">
<input type="hidden" name="action" value="save" />
<input type="hidden" id="amr-meta" name="amr-meta" value="1cfec20499" /><input type="hidden" name="_wp_http_referer" value="/users/l

    https://wordpress.org/plugins/profile-builder/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Cristian Antohe

    (@sareiodata)

    8 years, 7 months ago

    Hi Joe,

    Thank you for reporting this.

    However we can’t seam to replicate it. Testing with the $_GET parameters as in your example, the wppb_request_url hidden input correctly escapes the script into something like:

    http://localhost/pb20/login/?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x003BC6)%3C/scRipt%3E

    Would it be possible for you to contact me via http://www.cozmoslabs.com/support/open-ticket/ with a link to the website in question so I can test it there? Perhaps we’re missing something.

    Thread Starter Joe Banks

    (@joenasagrc)

    8 years, 7 months ago

    Thank you for your reply about not being able to replicate it. This leads me to item #2 below.

    There are a couple issues:

    1. The site itself is behind a firewall.

    2. I may work to replicate this in another instance of a site to see if this is being caused by something else.

    I will contact you via support when I have something further to report or to show you directly.

    Joe

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘XSS Vulnerability Detected in Form Created by User List Widget’ is closed to new replies.

Tags