Abstract

Cross-site scripting (XSS) vulnerability (CVE-2019-11871) in the Matt Gibbs plugin Custom Field Suite, versions before 2.5.1.4, allows attackers to inject arbitrary web script or HTML via the field name parameter.

Vulnerability Description

Matt Gibbs plugin Custom Field Suite is vulnerable to Cross-site scripting (XSS) as it allows an injection of malicious code into the field name. Successful exploitation grants an attacker with a right to execute malicious code on the administrator’s computer through JavaScript code as the plugin does not sanitize the user’s input and allows to insert any text.

How to reproduce

Step 1

The attacker goes to the website, where the Custom Field Suite plugin is installed.

Step 2

The attacker requests administrative or editor’s rights.

Step 3

The attacker goes to Custom Field Suite plugin section and add new field. Instead of field name, attacker inserts JavaScript code, for example, ”<script>alert(123)</script>”

Step 4

The Сustom Field Suite plugin saves created field.

Step 5

When the administrator comes to the website and open the Custom Field Suite section, malicious code gets executed.

Recommendation

To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.

Credits

Mark Parfeniuk, Penetration & Vulnerability Tester from REDdy Solutions