WordPress WP Symposium Pro Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress plugin WP Symposium Pro, specifically in version 2021.10. This vulnerability allows authenticated attackers to inject malicious scripts by taking advantage of inadequate sanitization of the forum name parameter. Exploitation involves sending POST requests to the admin setup page with JavaScript payloads in the 'wps_admin_forum_add_name' parameter. The injected scripts are then executed when the forum is accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the forum.

Reproduction

To reproduce this vulnerability, log into a WordPress site with WP Symposium Pro version 2021.10 installed. Navigate to the admin setup page and add a new forum. In the forum name field, insert a script payload, such as an image tag with an 'onerror' event. Once the forum is created, access it to trigger the execution of the injected script.