Exploit for WordPress Admin Columns Cross Site Scripting CVE-2021-24365

Name: Exploit for WordPress Admin Columns Cross Site Scripting CVE-2021-24365
Rating: 5 (223 reviews)
2021-06-22 | CVSS 0.0
## https://sploitus.com/exploit?id=PACKETSTORM:163246
Advisory ID: SYSS-2021-032  
Product: Admin Columns WordPress Plug-In  
Manufacturer: Codepress  
Affected Version(s): <5.5.2 (Pro version), <4.3.2 (Free version)  
Tested Version(s): 5.5.1 (Pro version), 4.3 (Free version)  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2021-05-28  
Solution Date: 2021-06-18  
Public Disclosure: 2021-06-21  
CVE Reference: CVE-2021-24365  
Author of Advisory: Johannes Lauinger, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Admin Columns is a WordPress plug-in, which allows creating tables of  
data based on a custom columns configuration. The plug-in also allows  
changing standard tables in the WordPress back end.  
  
The manufacturer describes the product as follows (see [1]):  
  
"Growing websites can become challenging to manage. Admin Columns helps  
you to overcome this challenge. Create insightful overviews to easily  
find, order, filter and update your content."  
  
Due to missing escaping of HTML tags in columns of the type "Custom  
Field", tables are vulnerable to persistent cross-site scripting  
attacks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
Admin Columns allows configuring individual columns for tables. Each  
column has a type. The type "Custom Field" allows choosing an arbitrary  
database column to display in the table. There is no escaping applied to  
the contents of "Custom Field" columns.  
  
When a "Custom Field" is used with a database column that can be  
changed by attackers, JavaScript code can be injected. The code is  
executed when the table is rendered. Tables can be rendered both in the  
WordPress front end and back end, possibly compromising high-privileged  
users.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
1. Create a custom field for WordPress users which allows storing HTML  
control characters. This can be done, e.g., with the "Advanced Custom  
Fields" plug-in [2].  
  
2. Store "<img src=0 onerror=alert()>" in the custom field for any user.  
  
3. Open the Admin Columns plug-in settings.  
  
4. Choose the "Admin Columns" tab and select "Users" from the drop-down  
menu.  
  
5. Click "Add Column", choose the type "Custom Field" and select the  
previously created custom field.  
  
6. Open the user list in the WordPress back end. The JavaScript code  
will be executed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update Admin Columns to at least version 5.5.2 (Pro version) or 4.3.2  
(free version).  
  
In earlier versions, do not use the "Custom Fields / Custom Field" type  
when configuring columns in the Admin Columns plug-in settings.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2021-05-27: Vulnerability discovered  
2021-05-28: Vulnerability reported to manufacturer  
2021-06-18: Patch released by manufacturer  
2021-06-21: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Admin Columns  
https://www.admincolumns.com  
[2] Product website for Advanced Custom Fields  
https://www.advancedcustomfields.com  
[3] SySS Security Advisory SYSS-2021-032  
  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-032.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Johannes Lauinger of SySS GmbH.  
  
E-Mail: johannes.lauinger@syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Johannes_Lauinger.asc  
Key ID: 0xC4314DF622D60262  
Key Fingerprint: 3F79 A293 AE08 0A92 65EB 25D2 C431 4DF6 22D6 0262  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
--   
Johannes Lauinger  
IT Security Consultant  
  
Pronomen: er, ihn, Herr  
______________________________________________________________  
  
SySS GmbH  
Schaffhausenstraße 77, 72072 Tübingen, Germany  
Tel: +49 (0)7071 - 40 78 56-6224  
Mobil: +49 (0)151 - 29 23 56 39  
E-Mail: johannes.lauinger@syss.de  
Conf. Calls: https://syss.zoom.us/  
Web: https://syss.de  
  
PGP-Fingerprint: 3F79 A293 AE08 0A92 65EB 25D2 C431 4DF6 22D6 0262  
  
Geschäftsführer: Sebastian Schreiber  
Registergericht: Amtsgericht Stuttgart / HRB 382420  
Steuernummer: 86118 / 55809