g0blin Research

Follow @g0blinResearch

Profile Builder 2.0.2, Reflected XSS

The Profile Builder plugin for WordPress suffers from a Reflected XSS attack on a file which is included by the default plugin installation, named ‘assets/misc/fallback-page.php?’. The following QSAs are vulnerable: site_name, message, site_url

Homepage

https://wordpress.org/plugins/profile-builder

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 2.0.3

Proof of Concept

Visiting the following URL results in an alert being triggered 

http://localhost/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_name=%3Cscript%3Ealert(%22.%22);%3C/script%3E

Timeline

  • 2014-10-22: Discovered
  • 2014-10-22: Reported to vendor
  • 2014-10-22: Vendor responded with intent to fix
  • 2014-10-23: Version 2.0.3 released – issue fixed
  • 2014-10-27: CVE requested
  • 2014-10-27: CVE assigned
  • 2014-10-30: Advisory released