Visualizer: Tables and Charts Manager for WordPress Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Visualizer: Tables and Charts Manager for WordPress plugin, affecting all versions through 3.11.8. The issue arises from inadequate input sanitization and output escaping of user-supplied attributes in the plugin's Import Data From File feature. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which are executed when a user accesses the injected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can use the Import Data From File feature of the Visualizer: Tables and Charts Manager for WordPress plugin, version 3.11.8 or earlier. During the import process, the user can upload a file that contains malicious scripts. Once the file is imported, the injected scripts will be executed whenever a user views the page where the data was imported.

Remediation

Users are advised to update the Visualizer: Tables and Charts Manager for WordPress plugin to version 3.11.9 or a newer patched version.