CVE-2015-10131

Vulnerability

Overview

The TFO Graphviz plugin for WordPress versions up to 1.9 contained a cross-site scripting (XSS) vulnerability in its admin interface. The functions admin_page_load and admin_page in tfo-graphviz-admin.php failed to properly sanitize URL parameters before using them in redirects and form actions. Specifically, the code used add_query_arg and remove_query_arg without wrapping the output in esc_url_raw or esc_url, allowing an attacker to inject arbitrary JavaScript into the page [2].

Exploitation

An attacker could craft a malicious link containing a JavaScript payload in a query parameter (e.g., updated). If a WordPress administrator clicks the link, the payload executes in the context of the admin dashboard. No authentication is required to trigger the vulnerability, but the victim must have admin privileges for the attack to be effective. The attack is launched remotely by tricking an admin into visiting the crafted URL.

Impact

Successful exploitation allows an attacker to perform actions as the logged-in administrator, such as creating new admin accounts, modifying plugin settings, or injecting malicious content into the site. This can lead to full site compromise. The vulnerability is classified as low severity (CVSS 3.5) because it requires user interaction and admin privileges.

Mitigation

The issue was fixed in version 1.10 by adding esc_url_raw and esc_url calls to sanitize the URLs [1][2]. Users should upgrade to version 1.10 or later. The plugin repository has since been archived and is read-only, so no further updates are expected.