XSS in WP plugin Chamber Dashboard Business Directory

2020-08-31 05:00:00 -0500

Issue Description

XSS in WordPress plugin Chamber Dashboard Business Directory.

Problem

User entered input which contains HTML/JS is not properly encoded on output, resulting in XSS.

Affected versions

Tested on version 3.2.8 (latest)

Details

Enter payload into affected field (phone field in this example) and update company profile.
Enter

In WordPress admin choose Businesses -> All Businesses and entered payload is executed :)
Enter
Enter

Previous example was around phone field, because this is displayed in directory listing and therefore can be used as attack vector with less clicks requried from admin.

Other vulnerable fields include:

  • Country
  • State
  • Social media url
  • E-mail
  • City
  • Zip
  • Address
  • Location
  • Hours