CVE-2020-35698 in Online Course Creation Platform
Summary
by MITRE • 07/25/2023
Thinkific Thinkific Online Course Creation Platform 1.0 is affected by: Cross Site Scripting (XSS). The impact is: execute arbitrary code (remote). The component is: Affected Source code of the website CMS which is been used by many to host their online courses using the Thinkific Platform. The attack vector is: To exploit the vulnerability any user has to just visit the link - https://hacktify.thinkific.com/account/billing?success=%E2%80%AA%3Cscript%3Ealert(1)%3C/script%3E. ¶¶ Thinkific is a Website based Learning Platform Product which is used by thousands of users worldwide. There is a Cross Site Scripting (XSS) based vulnerability in the code of the CMS where any attacker can execute a XSS attack. Proof of Concept & Steps to Reproduce: Step1 : Go to Google.com Step 2 : Search for this Dork site:thinkific.com -www Step 3 : You will get a list of websites which are running on the thinkific domains. Step 4 : Create account and signin in any of the website Step 5 : Add this endpoint at the end of the domain and you will see that there is a XSS Alert /account/billing?success=%E2%80%AAalert(1) Step 6 : Choose any domains from google for any website this exploit will work on all the websites as it is a code based flaw in the CMS Step 7 : Thousands of websites are vulnerable due to this vulnerable code in the CMS itself which is giving rise to the XSS attack.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/24/2025
The vulnerability identified as CVE-2020-35698 represents a critical cross site scripting flaw within the Thinkific online course creation platform version 1.0. This security weakness resides in the content management system's source code that powers thousands of educational websites globally, making it a significant threat vector for attackers seeking to compromise user sessions and execute malicious code remotely. The vulnerability manifests through improper input validation and output encoding mechanisms within the platform's billing endpoint, specifically in the handling of the success parameter. The attack exploits the platform's failure to sanitize user-supplied input, allowing malicious payloads to be injected and subsequently executed in the context of other users' browsers. This particular implementation demonstrates a classic stored XSS vulnerability where the malicious script is embedded within the URL parameter and persists until the page is loaded, making it particularly dangerous for widespread exploitation across the entire Thinkific ecosystem.
The technical exploitation of this vulnerability follows a well-defined attack pattern that aligns with CWE-79 Cross Site Scripting categories and maps directly to ATT&CK technique T1059.007 for command and scripting interpreter. Attackers can leverage this flaw by constructing malicious URLs containing encoded script tags that bypass the platform's input sanitization measures. The proof of concept demonstrates how a simple URL parameter manipulation can trigger the XSS payload, where the encoded payload %E2%80%AA%3Cscript%3Ealert(1)%3C/script%3E effectively bypasses basic validation by using unicode bidirectional override characters. This approach allows the attacker to inject JavaScript code that executes in the victim's browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability's impact extends beyond individual websites to affect the entire platform ecosystem, as all sites utilizing the same CMS codebase are susceptible to the same attack vector.
The operational implications of this vulnerability are severe given Thinkific's widespread adoption by educational institutions and content creators worldwide. The remote code execution capability means that attackers can potentially compromise user sessions, steal sensitive information, or manipulate course content across thousands of websites simultaneously. The attack vector requires minimal technical expertise, as demonstrated by the simple URL construction method, making it particularly dangerous for mass exploitation. Security researchers have noted that this vulnerability represents a critical failure in the platform's security architecture, where input validation should have been implemented at multiple layers to prevent such attacks. The persistent nature of stored XSS attacks means that once a malicious payload is injected, it will continue to affect users until the vulnerability is patched, creating an ongoing threat to platform integrity. Organizations using Thinkific must urgently address this vulnerability to prevent potential data breaches and maintain user trust in their educational platform services.
Mitigation strategies for CVE-2020-35698 should include immediate implementation of proper input sanitization and output encoding mechanisms throughout the platform's codebase. The most effective approach involves applying strict validation to all user-supplied input parameters, particularly those used in URL query strings and form submissions, with comprehensive encoding of all dynamic content before rendering in web pages. Organizations should implement Content Security Policy headers to prevent unauthorized script execution, while also deploying web application firewalls to detect and block malicious payloads. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in the platform's codebase, with particular attention to areas handling user-generated content. The fix should involve proper sanitization of the success parameter in the billing endpoint, ensuring that any input containing script tags or other malicious code is either rejected or properly encoded to prevent execution. Additionally, implementing proper access controls and monitoring mechanisms will help detect potential exploitation attempts and provide early warning of security incidents. Security teams should also consider implementing automated vulnerability scanning tools to continuously monitor for similar XSS vulnerabilities across the entire platform infrastructure, ensuring comprehensive protection against future attacks.