Custom Post Type UI Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Custom Post Type UI plugin for WordPress, affecting all versions through 1.18.1. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Administrator access to inject arbitrary scripts via the 'label' parameter during the import of custom post types. These injected scripts are executed when a user visits the Tools → Get Code page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can import a custom post type while injecting a script into the 'label' parameter. Once the post type is imported, the injected script will execute when the Tools → Get Code page is accessed.

Remediation

Users are advised to update the Custom Post Type UI plugin to version 1.18.2 or later.