WordPress Advanced Custom Fields: Table Field 1.1.12 XSS

2016-08-13T00:00:00
ID PACKETSTORM:138325
Type packetstorm
Reporter Tom Adams
Modified 2016-08-13T00:00:00

Description

                                        
                                            `Details  
================  
Software: Advanced Custom Fields: Table Field  
Version: 1.1.12  
Homepage: https://wordpress.org/plugins/advanced-custom-fields-table-field/  
Advisory report: https://security.dxw.com/advisories/xss-in-advanced-custom-fields-table-field-could-allow-authenticated-users-to-do-almost-anything-an-admin-user-can/  
CVE: Awaiting assignment  
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)  
  
Description  
================  
Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can  
  
Vulnerability  
================  
This plugin allows users (who haveA permission to edit posts) to inject JavaScript into pages within /wp-admin/. ThisA means aA user canA exceed their privileges by creating a script that causes an adminas browser to perform an action,A such as creating a new admin user, deleting all posts, etc.  
  
Proof of concept  
================  
  
Add a new ACF field group  
Add a new table-type field to that field group  
Create a new post/page, wherever the field group is set to display  
Enter a<script>alert(1)</script>a into a field and save the post  
Visit the page again, and the injected JavaScript will be executed  
  
Tested with ACF PRO v5. Not tested with v4.  
  
Mitigations  
================  
Update toA versionA 1.1.13 or later.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2016-07-13: Discovered  
2016-07-13: Reported to vendor byA email  
2016-07-13: Requested CVE  
2016-07-13: Vendoras autoresponder saidA they were unavailable until 1st August  
2016-08-01: Vendor reported they were working on a fix  
2016-08-01: Vendor reported issue fixed in 1.1.13  
2016-08-08: Advisory published  
  
  
  
Discovered by dxw:  
================  
Tom Adams  
Please visit security.dxw.com for more information.  
  
  
  
  
`