WordPress LearnDash LMS 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1897573 漏洞类型 跨站脚本
发布时间 2020-02-11 更新时间 2020-02-11
CVE编号 CVE-2020-7108 CNNVD-ID CNNVD-202001-826
漏洞平台 N/A CVSS评分 N/A
WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。LearnDash LMS是使用在其中的一个学习管理系统构建插件。 WordPress LearnDash LMS 3.1.2之前版本中的ld-profile搜索字段存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
# Date: 2020-01-14
# Vendor Homepage: https://www.learndash.com
# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 3.0.0 - 3.1.1
# CVE : CVE-2020-7108

1. Description

LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.

2. Proof of Concept

Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.

[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E

An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.

3. Timeline

Vulnerability reported to the LearnDash team – January 14, 2020
LearnDash version 3.1.2 containing the fix released – January 14, 2020