Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)

Exploit Author: LEE SE HYOUNG Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-06-06

# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/
# Date: 2023-04-24
# Exploit Author: LEE SE HYOUNG (hackintoanetwork)
# Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/
# Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip
# Category: Web Application
# Version: 1.6.7
# Tested on: Debian / WordPress 6.1.1
# CVE : CVE-2023-30868
# Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve

# 1. Technical Description:
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7.
This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.


# 2. Proof of Concept (PoC):

WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS)
In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7.

1. CMS Tree Page View Plugin <= 1.6.6

  a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E.

  b.  your payload will be executed.  [!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.

2. CMS Tree Page View Plugin <= 1.6.7

  a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22.

  b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows).
 [!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.

CMS Tree Page View Plugin 1.6.7 – Cross-Site Scripting (XSS) Vulnerability Explained

Security researchers have uncovered a critical reflected Cross-Site Scripting (XSS) vulnerability in the popular WordPress plugin CMS Tree Page View, affecting versions up to 1.6.7. This flaw, assigned the CVE identifier CVE-2023-30868, enables attackers to execute malicious JavaScript code in the browser of users with administrator privileges or higher—potentially leading to full compromise of WordPress sites.

Understanding the Vulnerability

The vulnerability arises from improper handling of user input in the post_type parameter within the plugin’s admin interface. Specifically, when a user navigates to /wp-admin/edit.php?page=cms-tpv-page-post, the post_type query string is directly reflected into the HTML output without proper sanitization or escaping.

This creates a perfect environment for reflected XSS attacks, where malicious payloads are injected via URL parameters and executed when the page is rendered in the browser. Because the plugin is designed to display hierarchical tree views of posts and custom post types, the rendered HTML includes user-supplied input—making it a prime target for exploitation.

Exploitation Conditions

For the XSS to be effective, the following conditions must be met:

Administrator privileges or higher: Only users with elevated access can reach the affected admin page.
“In menu” option enabled: The plugin’s settings must have the “In menu” option activated under Settings → CMS Tree Page View → Select where to show a tree for pages and custom post types. This ensures the tree view is rendered in the WordPress admin menu.

Without these conditions, the vulnerability remains dormant—making it a targeted exploit rather than a widespread threat.

Proof of Concept (PoC) Demonstrations

Two distinct PoCs have been verified for different versions of the plugin:

1. PoC for CMS Tree Page View ≤ 1.6.6

http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Explanation: This URL injects a <script> tag into the HTML output by manipulating the post_type parameter. The encoded %22 represents a double quote ("), which breaks out of the expected string context and allows the script tag to be rendered directly. When the page loads, the browser executes alert(1), confirming the XSS is active.

2. PoC for CMS Tree Page View ≤ 1.6.7

http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22

Explanation: This version exploits HTML attributes to trigger the script via keyboard shortcuts. The payload includes:

accesskey="C": Assigns the letter C as a keyboard shortcut.
onclick="javascript:alert(1)": Defines an event handler that executes when the shortcut is pressed.
a=": Completes the malformed string context to ensure the attribute is properly parsed.

When an administrator presses Ctrl + Alt + C (Mac) or Alt + Shift + C (Windows), the onclick event triggers, executing the JavaScript payload. This demonstrates a user-triggered XSS that is both stealthy and effective.

Impact and Risk Assessment

Severity	High
Attack Vector	Reflected XSS via URL parameter
Exploitability	Low to Medium (requires admin access)
Impact	Session hijacking, privilege escalation, data theft, malware injection

While the exploit requires administrator access, the potential damage is significant. An attacker could:

Steal admin session cookies via document.cookie.
Redirect users to phishing pages.
Inject malicious scripts to compromise the entire site.
Perform lateral movement across connected WordPress installations.

Security Recommendations

To protect against this vulnerability, administrators and developers should:

Update immediately: Upgrade to version 1.6.8 or later, where the vulnerability has been patched.
Disable unused features: If the “In menu” option is not needed, disable it to reduce attack surface.
Implement input validation: Ensure all user inputs are sanitized using esc_attr() or similar WordPress functions.
Monitor plugin activity: Use security plugins like Wordfence or Sucuri to detect suspicious behavior.
Use Content Security Policy (CSP): Enforce strict policies to block inline scripts and unauthorized sources.

Developer Best Practices

For plugin developers, this incident underscores the importance of:

Always escaping output: Never trust user input. Use WordPress-safe functions like esc_html(), esc_attr(), or wp_kses().
Validating parameters: Restrict post_type to known, predefined values (e.g., post, page, custom_post_type).
Implementing rate limiting: Prevent rapid, automated exploitation attempts.
Regular security audits: Conduct penetration testing and code reviews to catch vulnerabilities early.

Conclusion

The CMS Tree Page View plugin’s XSS vulnerability serves as a stark reminder that even widely used, seemingly benign tools can harbor serious security flaws. Developers must prioritize input sanitization and output escaping—especially in admin interfaces where privileged users are involved.

By updating to the latest version, enforcing security policies, and following best practices, WordPress administrators can effectively mitigate this risk and maintain a secure digital environment.