CVE-2026-1401

Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.6.4
Patched in
1d
Time to patch

Description

The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.3
PublishedFebruary 5, 2026
Last updatedFebruary 6, 2026
Affected plugintune-library

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1401 (Tune Library <= 1.6.3) ## 1. Vulnerability Summary The **Tune Library** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** due to a lack of authorization checks and improper sanitization in its CSV import functionality. While int…

Show full research plan

Exploitation Research Plan: CVE-2026-1401 (Tune Library <= 1.6.3)

1. Vulnerability Summary

The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to a lack of authorization checks and improper sanitization in its CSV import functionality. While intended for administrators, the import logic is accessible to any authenticated user (including Subscriber level) because it fails to verify user capabilities. Furthermore, data imported from the CSV is stored in the database and later rendered by the [tune-library] shortcode without sufficient escaping, allowing an attacker to execute arbitrary JavaScript in the context of any user viewing a page where the shortcode is present.

2. Attack Vector Analysis

  • Vulnerable Endpoint: Likely an AJAX action or an admin_init hook handling CSV processing. Based on common patterns in this plugin, the target is likely admin-ajax.php with a specific action related to CSV importing.
  • Action Name: tune_library_import_csv or tune_library_process_csv (inferred).
  • Payload Parameter: A $_FILES upload containing a .csv file with an XSS payload in one of the columns (e.g., artist, title, or album).
  • Authentication: Required (Subscriber level or higher).
  • Preconditions: The plugin must be active. To trigger the XSS, a page containing the [tune-library] shortcode must be visited.

3. Code Flow (Inferred)

  1. Entry Point: A user sends a POST request to wp-admin/admin-ajax.php with action=tune_library_import_csv.
  2. Missing Check: The handler function (e.g., tune_library_import_handler()) lacks a current_user_can('manage_options') check, allowing Subscribers to trigger the function.
  3. Processing: The function reads the uploaded CSV file. It iterates through the rows and saves them to a custom table (e.g., {$wpdb->prefix}tune_library) or an option. It fails to use sanitize_text_field() or similar on the CSV column data.
  4. Storage: The malicious payload <script>alert(1)</script> is saved into the database.
  5. Sink: A user visits a page with the [tune-library] shortcode. The shortcode callback function (e.g., tune_library_shortcode_renderer()) fetches the rows from the database and echoes them directly or inside an HTML table without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

If the plugin uses wp_localize_script to provide a nonce for the import interface, the agent should:

  1. Identify Script Localization: Look for wp_localize_script in the plugin code (e.g., tune-library-admin.php).
  2. Determine Variable: Identify the JS object and key (e.g., tuneLibraryAdmin.importNonce).
  3. Create Access Point: If the script only loads on the plugin's admin page, use a Subscriber account to attempt to access the admin area. Note that even if the Subscriber cannot see the full UI, the script might still be enqueued on admin-ajax.php or wp-admin/.
  4. Browser Evaluation:
    • Navigate to the WordPress Dashboard as a Subscriber.
    • Run: browser_eval("window.tuneLibraryAdmin?.importNonce || window.tune_library_settings?.nonce")
  5. Bypass Check: If check_ajax_referer is called with the third parameter set to false and the return value is not checked, the nonce can be omitted or sent with an invalid value.

5. Exploitation Strategy

Step 1: Prepare the Malicious CSV

Create a file named xss.csv with the following content:

artist,title,album,year
"<img src=x onerror=alert('XSS_SUCCESS')>",Test Song,Test Album,2024

Step 2: Perform the Import (As Subscriber)

Send the multipart POST request to admin-ajax.php.

  • URL: http://localhost:8888/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: multipart/form-data
  • Body Parameters:
    • action: tune_library_import_csv (inferred)
    • _wpnonce: [EXTRACTED_NONCE] (if required)
    • csv_file: [FILE_CONTENT:xss.csv]

Step 3: Trigger the Payload

Create a public page with the [tune-library] shortcode and navigate to it.

6. Test Data Setup

  1. Subscriber User: Create a user with the subscriber role.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  2. Target Page: Create a page that renders the library.
    • wp post create --post_type=page --post_title="Music Library" --post_status=publish --post_content='[tune-library]'
  3. Identify Action: Use grep -r "wp_ajax_" wp-content/plugins/tune-library/ to find the exact action name for CSV import.

7. Expected Results

  • The import request should return a successful status (e.g., {"success": true} or 1).
  • When navigating to the "Music Library" page, an alert box with XSS_SUCCESS should appear.
  • The HTML source of the page should contain the raw, unescaped <img> tag within the library table/list.

8. Verification Steps

  1. Database Check: Verify the payload is stored in the database.
    • wp db query "SELECT * FROM wp_tune_library WHERE artist LIKE '%onerror%';" --allow-root
  2. HTTP Response Check: Use the http_request tool to fetch the "Music Library" page and check for the payload in the raw HTML.
    • grep "<img src=x onerror=alert('XSS_SUCCESS')>" in the response body.

9. Alternative Approaches

  • Option-based Storage: If the plugin stores data in wp_options instead of a custom table, use wp option get tune_library_data to verify the injection.
  • Attribute Breakout: If the data is rendered inside an attribute (e.g., <div data-artist="VALUE">), use a payload like "><script>alert(1)</script> to break out of the attribute context.
  • Missing Nonce: If no nonce is found in the code via grep, skip the nonce acquisition step and send the request without the _wpnonce parameter.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.