WordPress Advanced Custom Fields: Table Field 1.1.12 XSS

Type packetstorm
Reporter Tom Adams
Modified 2016-08-13T00:00:00


Software: Advanced Custom Fields: Table Field  
Version: 1.1.12  
Homepage: https://wordpress.org/plugins/advanced-custom-fields-table-field/  
Advisory report: https://security.dxw.com/advisories/xss-in-advanced-custom-fields-table-field-could-allow-authenticated-users-to-do-almost-anything-an-admin-user-can/  
CVE: Awaiting assignment  
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)  
Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can  
This plugin allows users (who haveA permission to edit posts) to inject JavaScript into pages within /wp-admin/. ThisA means aA user canA exceed their privileges by creating a script that causes an adminas browser to perform an action,A such as creating a new admin user, deleting all posts, etc.  
Proof of concept  
Add a new ACF field group  
Add a new table-type field to that field group  
Create a new post/page, wherever the field group is set to display  
Enter a<script>alert(1)</script>a into a field and save the post  
Visit the page again, and the injected JavaScript will be executed  
Tested with ACF PRO v5. Not tested with v4.  
Update toA versionA 1.1.13 or later.  
Disclosure policy  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
2016-07-13: Discovered  
2016-07-13: Reported to vendor byA email  
2016-07-13: Requested CVE  
2016-07-13: Vendoras autoresponder saidA they were unavailable until 1st August  
2016-08-01: Vendor reported they were working on a fix  
2016-08-01: Vendor reported issue fixed in 1.1.13  
2016-08-08: Advisory published  
Discovered by dxw:  
Tom Adams  
Please visit security.dxw.com for more information.