Note: Stored XSS vulnerability in the DEXs PM System WordPress plugin v1.0.1 allows attackers to inject malicious JavaScript via the message subject field with potential for full WordPress admin compromise.
Summary
WordPress plugin vulnerabilities are one of those areas where a bit of curiosity during downtime can turn into a real finding. This one came out of exactly that — some time between engagements, a persistent Cross-Site Scripting issue in the DEXs PM System plugin.
Affected Versions
- DEXs PM System WordPress Plugin — Version 1.0.1
CVSSv3 Score
5.4 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Technical Details
The DEXs PM System plugin — a private messaging system for WordPress — fails to sanitise user input in the message subject field before storing it in the database. This means malicious JavaScript can be injected via the subject line when sending a message to another user, stored server-side, and executed in the browser of every user who subsequently opens that message.
This is the key distinction between persistent and reflected XSS: reflected XSS fires once, typically requiring the victim to click a crafted link. Persistent XSS is stored. It survives in the database and executes automatically for every affected user, without any further interaction from the attacker. That makes it significantly more dangerous from an impact perspective.
Proof of Concept
The following payload entered into the subject field when sending a message triggers execution in the recipient’s browser:
| |
When the receiving user opens the message, the JavaScript executes — confirmed here with a basic alert dialog. In a real attack scenario, alert() gets replaced with something considerably more harmful.