WordPress Profile Builder Plugin: Stored XSS

Simple stored Cross Site Scripting (XSS) found in WordPress Profile Builder Plugin version 5.2.7 and below.
This is just a PoC example, just fill in the minimum password length field with

[code]8″><script>alert(1)</script>[/code]




After we save the changes, the injected JavaScript executed successfully. This indicates that the plugin has a stored XSS vulnerability.

References

Leave a Reply

Your email address will not be published. Required fields are marked *