Executive Summary

The Tune Library plugin for WordPress, up to version 1.6.3, is vulnerable to Stored Cross-Site Scripting (XSS) via its CSV import feature. This vulnerability arises because the plugin does not properly sanitize or escape user-supplied data imported through CSV files. Authenticated users with Subscriber-level access or higher can inject malicious web scripts into pages using the [tune-library] shortcode. These scripts execute whenever any user views the affected page.

The root cause is the lack of authorization checks and insufficient input sanitization during the CSV import process, allowing arbitrary script injection that is stored and later rendered without escaping.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated attacker with low-level access (Subscriber or above) to inject malicious scripts into the website. These scripts execute in the context of other users who visit the infected pages, potentially leading to session hijacking, defacement, or theft of sensitive information.

Because the vulnerability is stored (persistent), the malicious code remains on the site until removed, affecting all users who access the compromised pages.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) via CSV import in the Tune Library WordPress plugin versions up to 1.6.3. Detection involves identifying if your WordPress site is running the vulnerable plugin version and if malicious scripts have been injected through CSV imports.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can:'}, {'type': 'list_item', 'content': 'Check the installed version of the Tune Library plugin to see if it is version 1.6.3 or earlier.'}, {'type': 'list_item', 'content': 'Review recent CSV import activity or uploaded CSV files for suspicious or unexpected script tags or JavaScript code.'}, {'type': 'list_item', 'content': 'Search the WordPress database table that stores imported tracks (usually `{prefix}tracks`) for entries containing suspicious HTML or JavaScript code.'}, {'type': 'paragraph', 'content': 'Example commands to assist detection (assuming command line access and database access):'}, {'type': 'list_item', 'content': 'Use WP-CLI to check plugin version: `wp plugin list --status=active | grep tune-library`'}, {'type': 'list_item', 'content': 'Search the database for suspicious script tags in track titles or other fields (replace `wp_` with your table prefix):\n`mysql -u username -p -e "SELECT * FROM wp_tracks WHERE title LIKE \'%<script>%\' OR artist LIKE \'%<script>%\' OR album LIKE \'%<script>%\';"`'}, {'type': 'list_item', 'content': 'Check web server logs for unusual POST requests to CSV import endpoints or suspicious user activity from Subscriber-level accounts.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should:

• Update the Tune Library plugin to version 1.6.4 or later, where the vulnerability has been fixed by adding capability checks, nonce validation, input sanitization, and output escaping.
• Restrict CSV import functionality to users with appropriate permissions (manage_options capability) to prevent unauthorized imports.
• Avoid importing CSV files from untrusted sources until the plugin is updated.
• Review and sanitize any previously imported data that may contain malicious scripts.
• Implement web application firewall (WAF) rules to detect and block attempts to exploit this vulnerability.

Useful 0 Not Useful 0