CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything


Last revised:

An unauthenticated individual can cause arbitrary JavaScript to execute within /wp-admin/ in the browser of a logged-in admin user. This could be achieved by sending a link to the admin user.

The attacker could use this to create a new user, create posts, add arbitrary PHP code (if the theme/plugin editor component is enabled) – almost anything a logged-in admin user can do.

Current state: Identified

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Step 1: Log in.

Step 2: Visit this URL to store the arbitrary HTML: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Step 3: Visit this URL to execute the JavaScript: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect

Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox).

Advisory timeline

  • 2017-03-17: Discovered
  • 2017-03-20: Sent a public message on Twitter requesting the ability to DM with them
  • 2017-03-20: Plugin author responded that the plugin was abandonware and that I could DM them
  • 2017-03-21: Sent another public message as I was still unable to send them a DM
  • 2017-04-04: Sent another public message
  • 2017-04-10: The plugin was removed from
  • 2017-04-24: Sent another public message to check that the plugin was permanently removed
  • 2017-05-08: Published
  • 2017-09-29: Requested CVE

Mitigation/further actions

The plugin author has indicated that this plugin is abandonware and has unpublished it from the WordPress directory. Disable and uninstall the plugin as this bug won’t be fixed.