WordPress Kanban Boards for WordPress Plugin <= 2.5.20 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The Kanban Boards for WordPress plugin (slug: kanban) contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 2.5.20. The flaw requires authenticated access with administrator-level privileges (admin+). The exact input field or parameter is not disclosed in the available references, but the vulnerability is classified as stored XSS, meaning the malicious payload is persisted on the server and executed when other users view the affected page [1].

Exploitation

An attacker must have an administrator account on the WordPress site. With that access, they can inject arbitrary JavaScript into a vulnerable input field (e.g., a board name, description, or custom field). The injected script is stored and later executed in the browsers of other administrators or users who visit the affected page. No additional user interaction beyond viewing the page is required for the payload to fire [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies, authentication tokens), or further administrative actions on the WordPress site. The impact is limited to users with access to the affected admin pages, but given that the attacker already has admin privileges, the primary risk is lateral movement or privilege escalation within the admin panel [1].

Mitigation

The plugin has been closed and removed from the WordPress.org plugin directory as of March 7, 2024, with the stated reason being a security issue [1]. No patched version was ever released. Users who have the plugin installed should immediately uninstall it and replace it with an alternative solution. There is no known workaround that addresses the vulnerability without removing the plugin [1].