Stored Cross Site Scripting (XSS) in WordPress Profile Builder Plugin <= 5.2.7

Simple stored XSS found in WordPress Profile Builder Plugin version 5.2.7 and below.
This is just a PoC example, just fill in the minimum password length field with

8"><script>alert(1)</script>




After we save the changes, the injected JavaScript executed successfully. This indicates that the plugin has a stored XSS vulnerability.

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About f3ci