WordPress plugin wpschoolpress 2.1.16 -'multiple'cross site scripting (XSS)

supply ​​ Business Homepage ：https://wpschoolpress.com/

Software link ：https://wpschoolpress.com/free-download/

edition ： The highest 2.1.17（ Not included ）

test ：Ubuntu 20.04 over WordPress 5.8 and apache2

CVE：CVE-2021-24664

The plug-in uses the name sanitize_text_field() Of wordpress Built in functions clean up some fields , But they were not correctly escaped before the attributes were output , Cause storage cross site scripting problems . function wp_sanitize_text_field() escape < and > But no escape image " Such characters , Allow attackers to destroy HTML Enter the tag and inject any javascript.

Proof of concept ：

As Administrator

- Add new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Check the absence box and put the following payloads into the reason ：“style=animation-name:rotation onanimationstart=alert(/XSS /)// By clicking “ add to ” Button to add other teachers' attendance will trigger XSS - Add a new student attendance (/wp-admin/admin.php?page=sch-attendance), Check the absence box and put the following payloads into the reason ：" style=animation-name:rotation onanimationstart=alert(/XSS /)// By clicking “ add to / to update ” Button to add another attendance will trigger XSS

- Add a new topic tag field (/wp-admin/admin.php?page=sch-settings&sc=subField) And put the following payload into “ Field ”：“ autofocus onfocus=alert(/XSS/)// When you edit the created theme tag, it will trigger XSS（ namely /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3）

- Create a new theme (/wp-admin/admin.php?page=sch-subject), Include the following payload in the topic name field ：“ autofocus onfocus=alert(/XSS/)// When you edit a topic XSS

- Create a new exam using the following payload in the exam name field (/wp-admin/admin.php?page=sch-exams)：“ autofocus onfocus=alert(/XSS/)// edit Exam=20 Will trigger XSS

Please note that , Some of them XSS Questions can be asked by teachers （ Moderately privileged user ） perform , But because of wordpress Use HTTPonly cookie, So it is impossible to steal cookie.