Abstract
A Cross-Site Scripting vulnerability was found in the Paid Memberships Pro WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
OVE ID
OVE-20160714-0015
Tested versions
This issue was successfully tested on Paid Memberships Pro WordPress Plugin version 1.8.9.3.
Fix
This issue is resolved in Paid Memberships Pro version 1.8.10.
Introduction
Details
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request
plugin_status
field does not validate
paid-memberships-pro/adminpages/addons.php
72: echo echo admin_url("admin.php?page=pmpro-addons&force-check=1&plugin_status=" . $status);
33: $status = $_REQUEST['plugin_status'];
An attacker needs to lure a logged-in admin to follow the link in the proof of concept below.