Admin Columns Free < 4.3 & Pro < 5.5.1 - Admin+ Stored XSS in Label

Vulnerability

The Admin Columns WordPress plugin (Free version before 4.3 and Pro version before 5.5.1) does not properly sanitize and escape its Label settings. This allows stored cross-site scripting (XSS) via the label input, which is used in column titles and list screen names. The vulnerability can be exploited even when the unfiltered_html capability is disallowed (e.g., in multisite networks). The fix introduces a new Sanitize\FormData and Sanitize\Title class that apply wp_kses() to the title and label fields before saving [1][2].

Exploitation

An attacker needs high-privilege access (Administrator role) to the WordPress admin area. The attacker can navigate to the Admin Columns settings, create or edit a column or list screen, and inject malicious JavaScript into the Label field. When the value is saved, the payload is stored and later executed in the context of any admin or user viewing the column configuration or the list screen table. No additional user interaction beyond viewing the affected page is required [2].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS) within the WordPress admin dashboard. An attacker can execute arbitrary JavaScript in the context of other administrators, potentially leading to session hijacking, privilege escalation, or forced administrative actions. Since the unfiltered_html capability is not required, this vulnerability is particularly impactful in multisite environments where super admins typically limit HTML permissions [2].

Mitigation

The vulnerability is fixed in Admin Columns Free version 4.3 and Admin Columns Pro version 5.5.1, released on 2021-05-31 [2]. Users should update immediately to the latest patched versions. No known workarounds are documented, and the plugin is not listed on CISA KEV [1][2].