what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Admin Columns Cross Site Scripting

WordPress Admin Columns Cross Site Scripting
Posted Jun 22, 2021
Authored by Johannes Lauinger | Site syss.de

WordPress Admin Columns plugin versions below 5.5.2 Pro and 4.3.2 Pro suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2021-24365
SHA-256 | 7d7376474770f3c76734318152b6a560b3a2a6645e0b86b13b95bee7521627b0

WordPress Admin Columns Cross Site Scripting

Change Mirror Download
Advisory ID:               SYSS-2021-032
Product: Admin Columns WordPress Plug-In
Manufacturer: Codepress
Affected Version(s): <5.5.2 (Pro version), <4.3.2 (Free version)
Tested Version(s): 5.5.1 (Pro version), 4.3 (Free version)
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2021-05-28
Solution Date: 2021-06-18
Public Disclosure: 2021-06-21
CVE Reference: CVE-2021-24365
Author of Advisory: Johannes Lauinger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Admin Columns is a WordPress plug-in, which allows creating tables of
data based on a custom columns configuration. The plug-in also allows
changing standard tables in the WordPress back end.

The manufacturer describes the product as follows (see [1]):

"Growing websites can become challenging to manage. Admin Columns helps
you to overcome this challenge. Create insightful overviews to easily
find, order, filter and update your content."

Due to missing escaping of HTML tags in columns of the type "Custom
Field", tables are vulnerable to persistent cross-site scripting
attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Admin Columns allows configuring individual columns for tables. Each
column has a type. The type "Custom Field" allows choosing an arbitrary
database column to display in the table. There is no escaping applied to
the contents of "Custom Field" columns.

When a "Custom Field" is used with a database column that can be
changed by attackers, JavaScript code can be injected. The code is
executed when the table is rendered. Tables can be rendered both in the
WordPress front end and back end, possibly compromising high-privileged
users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Create a custom field for WordPress users which allows storing HTML
control characters. This can be done, e.g., with the "Advanced Custom
Fields" plug-in [2].

2. Store "<img src=0 onerror=alert()>" in the custom field for any user.

3. Open the Admin Columns plug-in settings.

4. Choose the "Admin Columns" tab and select "Users" from the drop-down
menu.

5. Click "Add Column", choose the type "Custom Field" and select the
previously created custom field.

6. Open the user list in the WordPress back end. The JavaScript code
will be executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Admin Columns to at least version 5.5.2 (Pro version) or 4.3.2
(free version).

In earlier versions, do not use the "Custom Fields / Custom Field" type
when configuring columns in the Admin Columns plug-in settings.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-05-27: Vulnerability discovered
2021-05-28: Vulnerability reported to manufacturer
2021-06-18: Patch released by manufacturer
2021-06-21: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Admin Columns
https://www.admincolumns.com
[2] Product website for Advanced Custom Fields
https://www.advancedcustomfields.com
[3] SySS Security Advisory SYSS-2021-032

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-032.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Johannes Lauinger of SySS GmbH.

E-Mail: johannes.lauinger@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Johannes_Lauinger.asc
Key ID: 0xC4314DF622D60262
Key Fingerprint: 3F79 A293 AE08 0A92 65EB 25D2 C431 4DF6 22D6 0262

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

--
Johannes Lauinger
IT Security Consultant

Pronomen: er, ihn, Herr
______________________________________________________________

SySS GmbH
Schaffhausenstraße 77, 72072 Tübingen, Germany
Tel: +49 (0)7071 - 40 78 56-6224
Mobil: +49 (0)151 - 29 23 56 39
E-Mail: johannes.lauinger@syss.de
Conf. Calls: https://syss.zoom.us/
Web: https://syss.de

PGP-Fingerprint: 3F79 A293 AE08 0A92 65EB 25D2 C431 4DF6 22D6 0262

Geschäftsführer: Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close