Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDavide TaraschiPACKETSTORM:164974
HistoryNov 15, 2021 - 12:00 a.m.

WordPress WPSchoolPress 2.1.16 Cross Site Scripting

2021-11-1500:00:00
Davide Taraschi
packetstormsecurity.com
224
cross site scripting
wpschoolpress
wordpress
sanitization
stored xss
teacher
student attendance
subject mark field
exam
cve-2021-24664
httponly cookies

EPSS

0.001

Percentile

41.5%

JSON
`# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)  
# Date: 20/08/2021  
# Exploit Author: Davide Taraschi  
# Vendor Homepage: https://wpschoolpress.com/  
# Software Link: https://wpschoolpress.com/free-download/  
# Version: up to 2.1.17 (non included)  
# Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2  
# CVE : CVE-2021-24664  
  
# Description:  
The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.  
The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript.  
  
# PoC:  
As admin,  
- Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)//  
The XSS will be triggered when adding another teacher attendance by clicking on the Add button  
  
- Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)//  
The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button  
  
- Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)//  
The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3)  
  
- Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)//  
The XSS will be triggered when editing the Subject  
  
- Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)//  
The XSS will be triggered when editing the Exam=20  
  
Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.  
  
`

Related

zdt 1
exploitdb 1
patchstack 2
cnvd 1
cvelist 1
prion 1
cve 1
nvd 1
zdt
zdt
WordPress WPSchoolPress 2.1.16 Plugin - (Multiple) Cross Site Scripting Vulnerability
2021-11-15 00:00:00
exploitdb
exploitdb
WordPress Plugin WPSchoolPress 2.1.16 - &#039;Multiple&#039; Cross Site Scripting (XSS)
2021-11-15 00:00:00
patchstack
patchstack
WordPress WPSchoolPress plugin <= 2.1.16 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities
2021-10-11 00:00:00
WordPress WPSchoolPress plugin <= 2.1.16 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities
2021-10-11 00:00:00
cnvd
cnvd
WordPress WPSchoolPress plugin cross-site scripting vulnerability
2021-11-10 00:00:00
cvelist
cvelist
CVE-2021-24664 WPSchoolPress < 2.1.17 - Multiple Admin+ Stored Cross-Site Scripting
2021-11-08 17:34:58
prion
prion
Cross site scripting
2021-11-08 18:15:00
cve
cve
CVE-2021-24664
2021-11-08 18:15:08
nvd
nvd
CVE-2021-24664
2021-11-08 18:15:08

EPSS

0.001

Percentile

41.5%

JSON
Related for PACKETSTORM:164974
zdt1exploitdb1patchstack2cnvd1cvelist1prion1cve1nvd1