WordPress Plugin Vulnerabilities
Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field
Description
The Admin Columns WordPress plugin allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns.
When a "Custom Field" was used with a database column that could be changed by attackers, JavaScript code could be injected. The code was executed when the table was rendered. Tables could be rendered both in the WordPress frontend and backend, possibly compromising high-privileged users.
Proof of Concept
1. Create a custom field for WordPress users which allows to store HTML control characters. This can be done, e.g., with the "Advanced Custom Fields" plugin [2]. 2. Store "<img src=0 onerror=alert()>" in the custom field for any user. 3. Open the Admin Columns plugin settings. 4. Choose the "Admin Columns" tab and select "Users" from the drop down menu. 5. Click "Add Column", choose the type "Custom Field" and select the previously created custom field. 6. Open the user list in the WordPress backend. The JavaScript code will be executed.
Affects Plugins
Fixed in 4.3.2
Fixed in 5.5.2 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Johannes Lauinger, SySS GmbH
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-05-31 (about 2 years ago)
Added
2021-06-21 (about 2 years ago)
Last Updated
2021-06-25 (about 2 years ago)
WPScan 