WordPress Custom Tables 3.4.4 - Cross-Site Scripting

What is "WordPress Custom Tables 3.4.4 - Cross-Site Scripting?"

The "WordPress Custom Tables 3.4.4 - Cross-Site Scripting" module is designed to detect a cross-site scripting vulnerability in the WordPress Custom Tables 3.4.4 plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to unauthorized access or data theft. The severity of this vulnerability is classified as high.

This module was authored by daffainfo.

Impact

If exploited, this vulnerability can have serious consequences for website owners and users. Attackers can execute arbitrary code, steal sensitive information, or perform actions on behalf of the user without their consent. This can result in compromised user accounts, defacement of websites, or the spread of malware.

How the module works?

The module sends a GET request to the "/wp-content/plugins/custom-tables/iframe.php" endpoint with a specific query parameter, "key". The module then checks the response for specific conditions to determine if the vulnerability is present.

An example of the request sent by the module:

GET /wp-content/plugins/custom-tables/iframe.php?s=1&key=</script><script>alert(document.domain)</script> HTTP/1.1

The module matches the following conditions:

- The response body contains the string "</script><script>alert(document.domain)</script>". - The response header contains the string "text/html". - The response status code is 200.

If all conditions are met, the module reports the vulnerability.

For more information, refer to the WPScan vulnerability report.