WordPress Plugin Vulnerabilities

TinyMCE Custom Styles < 1.1.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Go to "Settings" »  "TinyMCE Custom Styles" section.

2. In the "2. Manage your custom styles for TinyMCE's Formats dropdown" area under the "Title" and "Type Value" fields add payload: "><script>alert(1);</script>

3. Save all the settings. Load the page,and an alert box with the number "1" will pop up.

Affects Plugins

Plugin icon
tinymce-custom-styles
Fixed in 1.1.4

References

CVE
CVE-2023-2967

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Yassir Sbai Fahim
Submitter
Yassir Sbai Fahim
Submitter website
https://iduzzel.com/
Submitter twitter
@iduzzel
Verified
Yes
WPVDB ID
9afec4aa-1210-4c40-b566-64e37acf2b64

Timeline

Publicly Published
2023-06-19 (about 5 months ago)
Added
2023-06-19 (about 5 months ago)
Last Updated
2023-06-19 (about 5 months ago)

Other

Published
Title
Published
2022-10-24
Title
IP Blacklist Cloud Plugin <= 5.00 - Admin+ Stored XSS
Published
2023-04-19
Title
Continuous announcement scroller <= 13.0 - Admin+ Stored XSS
Published
2015-10-26
Title
Visitors Online < 0.4 - SQL Injection
Published
2023-01-13
Title
alfred24 Click & Collect <= 1.1.7 - Admin+ Stored XSS
Published
2015-04-20
Title
Give - Cross-Site Scripting (XSS)