Exploit for WordPress DirectoriesPro 1.3.45 Cross Site Scripting CVE-2020-29303 CVE-2020-29304

Name: Exploit for WordPress DirectoriesPro 1.3.45 Cross Site Scripting CVE-2020-29303 CVE-2020-29304
Rating: 5 (504 reviews)
2020-12-11 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:160452
Title: Reflected XSS  
Product: WordPress DirectoriesPro Plugin by SabaiApps  
Vendor Homepage: https://directoriespro.com/  
Vulnerable Version: 1.3.45  
Fixed Version: 1.3.46  
CVE Number: CVE-2020-29303  
  
Author: Jack Misiura from The Missing Link   
Website: https://www.themissinglink.com.au  
  
Timeline:  
2020-11-26 Disclosed to Vendor  
2020-11-27 Vendor releases patched version  
2020-12-07 Fix confirmed  
2020-12-10 Publication  
  
  
  
1. Vulnerability Description  
  
The WordPress DirectoriesPro plugin did not sanitise the _drts_form_build_id in a POST request, allowing for HTML or JavaScript injection.  
  
2. PoC  
  
On a WordPress installation with a vulnerable DirectoriesPro plugin, issue the following POST request while logged in as Administrator to, for example, http://example.com/wp-admin/admin.php?page=drts/directories <http://example.com/wp-admin/admin.php?page=drts/directories&q=%2Fdirectories%2Fstaff%2Fexport%2F> &q=%2Fdirectories%2Fstaff%2Fexport%2F. Please note, the _t_ parameter is set to an invalid or non-existent CSRF token.  
  
filename=staff_txt&pretty_print=1&_drts_form_build_id=123"><script>alert('Reflected%20XSS');</script>%20onmouseover="&_t_=1234567&_drts_form_submit%5B0%5D=0&_ajax_=%23drts-modal  
  
  
3. Solution  
  
The vendor provides an updated version (1.3.46) which should be installed immediately.  
  
4. Advisory URL  
  
https://www.themissinglink.com.au/security-advisories  
  
  
Jack Misiura  
Application Security Consultant  
  
  
-----------  
  
Title: Self-reflected XSS  
Product: WordPress DirectoriesPro Plugin by SabaiApps  
Vendor Homepage: https://directoriespro.com/  
Vulnerable Version: 1.3.45  
Fixed Version: 1.3.46  
CVE Number: CVE-2020-29304  
  
Author: Jack Misiura from The Missing Link   
Website: https://www.themissinglink.com.au  
  
  
Timeline:  
2020-11-26 Disclosed to Vendor  
2020-11-27 Vendor releases patched version  
2020-12-07 Fix confirmed  
2020-12-10 Publication  
  
  
  
1. Vulnerability Description  
  
The WordPress DirectoriesPro plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.  
  
  
  
2. PoC  
  
On a WordPress installation with a vulnerable DirectoriesPro plugin import a CSV file containing the following in the header:  
  
'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"  
  
  
3. Solution  
  
The vendor provides an updated version (1.3.46) which should be installed immediately.  
  
  
  
4. Advisory URL  
  
https://www.themissinglink.com.au/security-advisories