Search for hundreds of thousands of exploits

"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"

Author

Exploit author

"Jinson Varghese Behanan"

Platform

Exploit platform

php

Release date

Exploit published date

2020-02-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
# Date: 2020-01-14
# Vendor Homepage: https://www.learndash.com
# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 3.0.0 - 3.1.1
# CVE : CVE-2020-7108

1. Description

LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.

2. Proof of Concept

Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.

[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E

An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.

3. Timeline

Vulnerability reported to the LearnDash team  January 14, 2020
LearnDash version 3.1.2 containing the fix released  January 14, 2020
Release DateTitleTypePlatformAuthor
2020-07-29"Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-02"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"webappsphp"Jinson Varghese Behanan"
2020-02-17"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48030/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.