WP Admin UI Customize < 1.5.13 - Admin+ Stored XSS

Vulnerability

The WP Admin UI Customize WordPress plugin prior to version 1.5.13 fails to sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to store malicious JavaScript in plugin settings, leading to stored Cross-Site Scripting (XSS). The vulnerability is exploitable even in multisite configurations where the unfiltered_html capability is disallowed [1].

Exploitation

An attacker with administrator-level access to the WordPress admin area can inject arbitrary JavaScript into the plugin's settings fields. Because the plugin does not sanitize or escape the input before saving and rendering it on the admin pages, the injected script executes in the context of the admin panel whenever other administrators (or the attacker themselves) view those settings. No additional user interaction beyond viewing the settings page is required [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browser of any administrator who visits the affected settings page. This can lead to session hijacking, defacement, theft of sensitive information (e.g., nonces, cookies), or malicious actions performed on behalf of the victim administrator — all within the administrative interface [1].

Mitigation

Users should update the WP Admin UI Customize plugin to version 1.5.13, which was released on or before November 4, 2022, and contains the necessary input sanitization and output escaping fixes [1]. There is no known workaround for older versions; upgrading is the recommended action.