cjc.im / advisories / 0004

Stored XSS in WP User Notes

Credit

This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)

Timeline

Product

This plugin adds a text editor area to each User Profile in the dashboard for Administrators to keep private notes about each User.

Risk / Severity Rating

Not calculated

Description and Impact

The notes field for each user isn't properly sanitized and can contain javascript. Given that this only affects admins this really isn't a major issue. However,

  $notes = (!empty($_POST['user_notes_note']))?stripslashes($_POST['user_notes_note']):'';
update_user_meta($user_id, 'user-notes-note', $notes);

Proof of Concept

Simply entering the notes with javascript in <script> tags is enough to execute code in the context of other administrators.

Solution

Disable the plugin until an upgrade is available

References

Legal

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.