Overview
The Admin Columns WordPress plugin, Free and Pro versions, rendered input on the posted pages with improper input validation on the value passed into the field `Label` parameter, by taking this as an advantage an authenticated attacker can supply a crafted arbitrary script and execute it.
Details
The WordPress `Admin Columns` plugin has a feature to add new customized column fields. This plugin can be abused by Stored Cross-Site Scripting vulnerability since the plugin performs improper validations on the input sent to the custom column field `Label` parameter before rendering it on a published web page/post. Due to this flaw, an authenticated attacker can cause Stored Cross-Site Scripting.
PoC Details
The WordPress `Admin Columns` plugin renders the given input on the posted pages with improper input validation on the value passed into the field `Label` parameter, by taking this as an advantage an attacker can supply a crafted arbitrary script and execute it. After activating the installed plugin you will find a new option in the `Settings` options of the left side menu bar with new sub options as `Admin Columns`. Now click on the `Admin Columns` option from the `Setting` menu, it will give a page to add admin columns, then click on the `Add Column' button. Now place the payload in the `Label` text field and click on the update button. The given input payload will create a column field with a hyperlink. To see the newly added columns field, click on the `View` button. After clicking on the View button, this will show the newly added column fields as shown below. The given payload created a hyperlink with malicious JavaScript, the code will get executed once the hyperlinks has been clicked
PoC Code
<a href="javascript:alert('XSS in admin columns plugin!');">click here</a>
Affected Environments
3.0-4.2.7
Prevention
Upgrade to 4.3
Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
What is a WS vulnerability ID? 
