BSK PDF Manager < 2.9.1 – Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not sanitise the view and cat_title POST parameter when creating or editing a category (/wp-admin/admin.php?page=bsk-pdf-manager), allowing authenticated users with a role as low as editor to set an XSS payload which will be triggered in the Categories list (wp-admin/admin.php?page=bsk-pdf-manager), Bulk Add by Media Library /wp-admin/admin.php?page=bsk-pdf-manager-add-by-media-library) and BSK PDF Documents (when the affected Category is used, wp-admin/admin.php?page=bsk-pdf-manager-pdfs).

The issue was initially from 2014 in v1.3, but was still present up to version 2.9, via the Category Title (cat_title POST parameter).

Proof of Concept

With an editor or admin account, add/edit a category with a Title of "><img src onerror=alert(/XSS/)>

Affects Plugins

bsk-pdf-manager

Fixed in 2.9.1

References

URL

https://packetstormsecurity.com/files/#125422/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.4 (high)

Miscellaneous

Original Researcher

HauntIT

Verified

Yes

WPVDB ID

bfab3125-7dea-4da1-8a38-b8f041d1caa3

Timeline

Publicly Published

2014-08-01 (about 11 years ago)

Added

2014-08-01 (about 11 years ago)

Last Updated

2021-04-09 (about 5 years ago)

Other

Published

Title

Published

2023-06-27

Title

Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Admin+ Stored XSS

Published

2024-03-26

Title

Favicon Rotator < 1.2.11 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Duplicator - installer.cleanup.php package Parameter XSS

Published

2021-08-25

Title

Contact Form 7 Zoho < 1.1.8 - Reflected Cross-Site Scripting

Published

2025-01-20

Title

Link Library < 7.7.3 - Reflected Cross-Site Scripting