CVSS Summary
| Score | 6.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | Partial |
Advisory:
CSRF and XSS in Improved user search allow execution of arbitrary javascript in WordPress admin area
Vulnerability
Last revised:
If an attacker can trick an admin (via spearphishing for instance) into following a link they will be able to inject arbitrary JavaScript into the admin interface meaning that their code will be executed by an admin’s browser and will be able to do almost anything an admin user can do (create users, delete posts, etc).
Current state: Fixed
Proof of concept
Submission of this form on a malicious page visited by an administrator will activate a stored XSS. Some browsers will run alert(1) immediately but if you use a browser which attempts to block reflected XSS you will have to reload the page.
<form action="http://localhost/wp-admin/options-general.php?page=improved-user-search-in-backend/improved-user-search-in-backend.php" method="POST"> <input type="text" name="iusib_meta_fields" value="</textarea><script>alert(1)</script>"> <input type="text" name="improved_user_search_in_backend_update" value="true"> <input type="submit"> </form> Note that no interaction with the malicious page is necessary, as the form itself can be submitted via Javascript. The only action required is to trick the administrator into visiting the page.
Advisory timeline
- 2014-07-11: Discovered
- 2014-07-30: Reported
- 2014-08-02: Author reports issue fixed
- 2014-08-13: Published
Mitigation/further actions
Upgrade to version 1.2.6 or later.