Menu

Search for hundreds of thousands of exploits

"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"

Author

Exploit author

"Jinson Varghese Behanan"

Platform

Exploit platform

php

Release date

Exploit published date

2020-02-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
# Date: 2020-01-14
# Vendor Homepage: https://www.learndash.com
# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 3.0.0 - 3.1.1
# CVE : CVE-2020-7108

1. Description

LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.

2. Proof of Concept

Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.

[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E

An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.

3. Timeline

Vulnerability reported to the LearnDash team  January 14, 2020
LearnDash version 3.1.2 containing the fix released  January 14, 2020
Release DateTitleTypePlatformAuthor
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
Release DateTitleTypePlatformAuthor
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-07"EyesOfNetwork 5.3 - Remote Code Execution"webappsphp"Clément Billac"
2020-02-07"QuickDate 1.3.2 - SQL Injection"webappsphp"Ihsan Sencan"
2020-02-07"VehicleWorkshop 1.0 - 'bookingid' SQL Injection"webappsphp"Mehran Feizi"
2020-02-07"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection"webappsphp"Amel BOUZIANE-LEBLOND"
2020-02-06"Online Job Portal 1.0 - 'user_email' SQL Injection"webappsphp"Ihsan Sencan"
2020-02-06"Online Job Portal 1.0 - Remote Code Execution"webappsphp"Ihsan Sencan"
2020-02-06"Online Job Portal 1.0 - Cross Site Request Forgery (Add User)"webappsphp"Ihsan Sencan"
2020-02-06"Ecommerce Systempay 1.0 - Production KEY Brute Force"webappsphplive3
2020-02-04"Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit)"webappsphpmekhalleh
2020-02-03"phpList 3.5.0 - Authentication Bypass"webappsphp"Suvadip Kar"
2020-02-03"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)"webappsphpJ3rryBl4nks
2020-02-03"IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting"webappsphp"Lutfu Mert Ceylan"
2020-01-31"Lotus Core CMS 1.0.1 - Local File Inclusion"webappsphp"Daniel Monzón"
2020-01-31"FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)"webappsphp"Ismail Tasdelen"
2020-01-30"PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass"localphpmm0r1
2020-01-30"rConfig 3.9.3 - Authenticated Remote Code Execution"webappsphpvikingfr
2020-01-29"Centreon 19.10.5 - 'Pollers' Remote Command Execution"webappsphp"Omri Baso"
2020-01-29"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution"webappsphp"Fabien AUNAY"
2020-01-29"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)"webappsphpJ3rryBl4nks
2020-01-28"Octeth Oempro 4.8 - 'CampaignID' SQL Injection"webappsphp"Bruno de Barros Bulle"
Release DateTitleTypePlatformAuthor
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48030/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse