cjc.im / advisories / 0004

Stored XSS in WP User Notes


This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)



This plugin adds a text editor area to each User Profile in the dashboard for Administrators to keep private notes about each User.

Risk / Severity Rating

Not calculated

Description and Impact

The notes field for each user isn't properly sanitized and can contain javascript. Given that this only affects admins this really isn't a major issue. However,

  $notes = (!empty($_POST['user_notes_note']))?stripslashes($_POST['user_notes_note']):'';
update_user_meta($user_id, 'user-notes-note', $notes);

Proof of Concept

Simply entering the notes with javascript in <script> tags is enough to execute code in the context of other administrators.


Disable the plugin until an upgrade is available



The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.