Kanban Boards for WordPress < 2.5.21 - Admin+ Stored XSS

Vulnerability

The Kanban Boards for WordPress plugin before version 2.5.21 fails to sanitise and escape some of its settings. This allows high-privilege users, such as administrators, to inject arbitrary web scripts into the plugin's settings, which are then stored and displayed to other users [1]. The vulnerability is present even when the unfiltered_html capability is disallowed, such as in multisite setups.

Exploitation

An attacker with administrator-level access to the WordPress installation can exploit this stored XSS by providing crafted input in one of the plugin's unsanitised settings fields. Once saved, the malicious script executes in the context of any user who views the affected page, including lower-privilege users such as editors or subscribers [1]. No additional user interaction beyond visiting the page is required for execution.

Impact

Successful exploitation results in stored cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the browser of any user visiting the affected plugin page. This can lead to session hijacking, defacement, data theft, or further privilege escalation within the WordPress dashboard. The attack does not require the unfiltered_html capability, making it particularly dangerous in multisite environments where this capability is typically restricted [1].

Mitigation

The vulnerability is fixed in version 2.5.21 of the Kanban Boards for WordPress plugin [1]. Site administrators should update to this version or later immediately. There is no known workaround for sites running an older version; upgrading is the only reliable mitigation. The plugin's changelog and the WPScan advisory confirm the fix [1].