CVE-2019-12934 – wp-code-highlightjs WordPress Plugin CSRF leads to blog-wide injected script/HTML

An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.

wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF,  as demonstrated by an XSS payload in the hljs_additional_css parameter.

An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.

Proof of Concept:

where poc.js could be a payload similar to:

https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js