Tune Library WordPress Plugin Stored Cross-Site Scripting Vulnerability via CSV Import

A stored cross-site scripting vulnerability has been identified in the Tune Library plugin for WordPress, affecting all versions through 1.6.3. The issue arises from inadequate input sanitization and output escaping of user-supplied data, particularly during CSV imports. This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary scripts into pages, where they will be executed when a user accesses the affected page. The problem is exacerbated by the CSV import feature's lack of authorization checks, leaving it open to exploitation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, upload a CSV file containing malicious scripts through the 'Import CSV Tune List' option in the Tune Library plugin. Ensure that the file follows the import template provided by the plugin. After importing, the injected scripts will execute when the corresponding page is accessed.

Remediation

Users are advised to update the Tune Library plugin to version 1.6.4 or later.