Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import
Description
The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.6.3Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-1401 (Tune Library <= 1.6.3) ## 1. Vulnerability Summary The **Tune Library** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** due to a lack of authorization checks and improper sanitization in its CSV import functionality. While int…
Show full research plan
Exploitation Research Plan: CVE-2026-1401 (Tune Library <= 1.6.3)
1. Vulnerability Summary
The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to a lack of authorization checks and improper sanitization in its CSV import functionality. While intended for administrators, the import logic is accessible to any authenticated user (including Subscriber level) because it fails to verify user capabilities. Furthermore, data imported from the CSV is stored in the database and later rendered by the [tune-library] shortcode without sufficient escaping, allowing an attacker to execute arbitrary JavaScript in the context of any user viewing a page where the shortcode is present.
2. Attack Vector Analysis
- Vulnerable Endpoint: Likely an AJAX action or an
admin_inithook handling CSV processing. Based on common patterns in this plugin, the target is likelyadmin-ajax.phpwith a specific action related to CSV importing. - Action Name:
tune_library_import_csvortune_library_process_csv(inferred). - Payload Parameter: A
$_FILESupload containing a.csvfile with an XSS payload in one of the columns (e.g.,artist,title, oralbum). - Authentication: Required (Subscriber level or higher).
- Preconditions: The plugin must be active. To trigger the XSS, a page containing the
[tune-library]shortcode must be visited.
3. Code Flow (Inferred)
- Entry Point: A user sends a POST request to
wp-admin/admin-ajax.phpwithaction=tune_library_import_csv. - Missing Check: The handler function (e.g.,
tune_library_import_handler()) lacks acurrent_user_can('manage_options')check, allowing Subscribers to trigger the function. - Processing: The function reads the uploaded CSV file. It iterates through the rows and saves them to a custom table (e.g.,
{$wpdb->prefix}tune_library) or an option. It fails to usesanitize_text_field()or similar on the CSV column data. - Storage: The malicious payload
<script>alert(1)</script>is saved into the database. - Sink: A user visits a page with the
[tune-library]shortcode. The shortcode callback function (e.g.,tune_library_shortcode_renderer()) fetches the rows from the database and echoes them directly or inside an HTML table without usingesc_html()oresc_attr().
4. Nonce Acquisition Strategy
If the plugin uses wp_localize_script to provide a nonce for the import interface, the agent should:
- Identify Script Localization: Look for
wp_localize_scriptin the plugin code (e.g.,tune-library-admin.php). - Determine Variable: Identify the JS object and key (e.g.,
tuneLibraryAdmin.importNonce). - Create Access Point: If the script only loads on the plugin's admin page, use a Subscriber account to attempt to access the admin area. Note that even if the Subscriber cannot see the full UI, the script might still be enqueued on
admin-ajax.phporwp-admin/. - Browser Evaluation:
- Navigate to the WordPress Dashboard as a Subscriber.
- Run:
browser_eval("window.tuneLibraryAdmin?.importNonce || window.tune_library_settings?.nonce")
- Bypass Check: If
check_ajax_refereris called with the third parameter set tofalseand the return value is not checked, the nonce can be omitted or sent with an invalid value.
5. Exploitation Strategy
Step 1: Prepare the Malicious CSV
Create a file named xss.csv with the following content:
artist,title,album,year
"<img src=x onerror=alert('XSS_SUCCESS')>",Test Song,Test Album,2024
Step 2: Perform the Import (As Subscriber)
Send the multipart POST request to admin-ajax.php.
- URL:
http://localhost:8888/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: multipart/form-data - Body Parameters:
action:tune_library_import_csv(inferred)_wpnonce:[EXTRACTED_NONCE](if required)csv_file:[FILE_CONTENT:xss.csv]
Step 3: Trigger the Payload
Create a public page with the [tune-library] shortcode and navigate to it.
6. Test Data Setup
- Subscriber User: Create a user with the
subscriberrole.wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
- Target Page: Create a page that renders the library.
wp post create --post_type=page --post_title="Music Library" --post_status=publish --post_content='[tune-library]'
- Identify Action: Use
grep -r "wp_ajax_" wp-content/plugins/tune-library/to find the exact action name for CSV import.
7. Expected Results
- The import request should return a successful status (e.g.,
{"success": true}or1). - When navigating to the "Music Library" page, an alert box with
XSS_SUCCESSshould appear. - The HTML source of the page should contain the raw, unescaped
<img>tag within the library table/list.
8. Verification Steps
- Database Check: Verify the payload is stored in the database.
wp db query "SELECT * FROM wp_tune_library WHERE artist LIKE '%onerror%';" --allow-root
- HTTP Response Check: Use the
http_requesttool to fetch the "Music Library" page and check for the payload in the raw HTML.grep "<img src=x onerror=alert('XSS_SUCCESS')>"in the response body.
9. Alternative Approaches
- Option-based Storage: If the plugin stores data in
wp_optionsinstead of a custom table, usewp option get tune_library_datato verify the injection. - Attribute Breakout: If the data is rendered inside an attribute (e.g.,
<div data-artist="VALUE">), use a payload like"><script>alert(1)</script>to break out of the attribute context. - Missing Nonce: If no nonce is found in the code via
grep, skip the nonce acquisition step and send the request without the_wpnonceparameter.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.