The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
1. Create/edit a Post Type via the plugin (wp-admin/admin.php?page=cptc-page) and put the following payload in the “Singular Label” and “Plural Label” fields: The XSS will be triggered in all backend pages. 2. Create/edit a taximony via the plugin (/wp-admin/admin.php?page=ctc-page), put the following payload in the “Singular Label” and “Plural Label” fields:
, then tick the Attach to ‘Post’ The XSS will be triggered when accessing the related taximony via the Post menu (e.g /wp-admin/edit-tags.php?taxonomy=b)
CPE | Name | Operator | Version |
---|---|---|---|
wck-custom-fields-and-custom-post-types-creator | lt | 2.3.3 |