CVE-2022-2710 The Scroll To Top WordPress plugin before 1.4.1 has an unfiltered_html setting that allows high privilege users to do Stored Cross-Site Scripting attacks.

The following example shows how a hacker can exploit this to execute arbitrary cross-site scripting attacks: In the above example, the hacker is using a privileged user (admin) to perform an input validation bypass by placing an XSS via unfiltered_html in to the settings of the plugin to execute the code in the site administrator’s account. This may affect many websites that use this plugin, for example, if we install the plugin in a multisite setup.
This issue was resolved in the version 1.4.1. You can upgrade your site to this version or upgrade your site to 1.4.1 if it is not yet installed. If you are using version 1.4.0 or earlier, then you can protect yourself against this attack by setting the unfiltered_html capability in the server’s settings to false.

2.5

.2 - Unfiltered HTML in Settings
The following example shows how a hacker can exploit this to execute arbitrary cross-site scripting attacks: In the above example, the hacker is using a privileged user (admin) to perform an input validation bypass by placing an XSS via unfiltered_html in to the settings of the plugin to execute the code in the site administrator’s account. This may affect many websites that use this plugin, for example, if we install the plugin in a multisite setup.
This issue was resolved in version 1.4.1. You can upgrade your site to this version or upgrade your site to 1.4.1 if it is not yet installed. If you are using version 1.4.0 or earlier, then you can protect yourself against this attack by setting the unfiltered_html capability in the server’s settings to false.

Input validation bypass: How it works?

The unfiltered_html capability in the server’s settings can be set to false.
This will allow administrators to hand-edit the content of an HTML input field for plugins that use this capability, bypassing any input validation and allowing XSS attacks.
To prevent this vulnerability from being exploited, you must upgrade your site to version 1.4.1 or higher, or modify the plugin configuration settings so that the unfiltered_html capability is set to false.

How you can protect against cross site scripting attacks?

The following example uses a bad filter to execute cross-site scripting.
In the above example, the opposite filter is written in PHP. The content is filtered by the function check_html(). It is easy to see that if this function was used with an input validation bypass, it would be possible for an attacker to inject arbitrary code into the server and execute their own XSS attack.
This issue was resolved in version 1.4.1. You can upgrade your site to this version or upgrade your site to 1.4.1 if it is not yet installed. If you are using version 1.4.0 or earlier, then you can protect yourself against this attack by setting the check_html capability in the server’s settings to false.

Timeline

Published on: 09/19/2022 14:15:00 UTC
Last modified on: 09/21/2022 06:27:00 UTC

References

• https://wpscan.com/vulnerability/f730f584-2370-49f9-a094-a5bc521671c1
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2710