Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) – Authenticated Stored Cross-Site Scripting (XSS) in Custom Field | CVE 2021-24365

Description

The Admin Columns WordPress plugin allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns.

When a "Custom Field" was used with a database column that could be changed by attackers, JavaScript code could be injected. The code was executed when the table was rendered. Tables could be rendered both in the WordPress frontend and backend, possibly compromising high-privileged users.

Proof of Concept

1. Create a custom field for WordPress users which allows to store HTML
   control characters. This can be done, e.g., with the "Advanced Custom
   Fields" plugin [2].

2. Store "<img src=0 onerror=alert()>" in the custom field for any user.

3. Open the Admin Columns plugin settings.

4. Choose the "Admin Columns" tab and select "Users" from the drop down
   menu.

5. Click "Add Column", choose the type "Custom Field" and select the
   previously created custom field.

6. Open the user list in the WordPress backend. The JavaScript code will
   be executed.