WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)

vendor:

WP-UserOnline

by:

Steffin Stanly

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: WP-UserOnline

Affected Version From: 2.87.6

Affected Version To: 2.87.6

Patch Exists: Yes

Related CWE:

CPE: a:lesterchan:wp-useronline

Metasploit:

Other Scripts:

Platforms Tested: Windows

2022

WordPress Plugin WP-UserOnline 2.87.6 – Stored Cross-Site Scripting (XSS)

A stored XSS vulnerability exists in WordPress Plugin WP-UserOnline version 2.87.6 and below. An attacker can exploit this vulnerability by entering malicious JavaScript payload into the User(s) Browsing Site field in the plugin settings. When the payload is triggered, the JavaScript code is executed, allowing the attacker to gain access to the user's session.

Mitigation:

Update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)
# Date: 21/07/2022
# Exploit Author: Steffin Stanly
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
# Software Link: https://wordpress.org/plugins/wp-useronline/
# Version: <=2.87.6
# Tested on Windows

How to reproduce vulnerability:

1. Install WordPress 6.0.1
2. Install and activate WP-UserOnline plugin.
3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site.
4. Add the following payload "><script>alert(1)</script> and save changes
5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.