CVE-2022-3135 The SEO Smart Links WordPress plugin through 3.0.1 has settings that could allow high privilege users to perform Stored Cross-Site Scripting attacks.

When the unfiltered_html setting is disabled, URLs must be manually checked for potential cross-site scripting attacks.

When the unfiltered_html setting is enabled, any user with the “High-Risk” or “Admin” role can enable it and therefore bypass the automatic checks.

Unfiltered links also pose a security risk when used in conjunction with the unfiltered_email setting, as users with the “High-Risk” or “Admin” roles can also send email via unfiltered URLs.

Unfiltered links also pose a security risk when used in conjunction with the unfiltered_email setting, as users with the “High-Risk” or “Admin” roles can also send email via unfiltered URLs. When the unfiltered_email setting is enabled, any user with the “High-Risk” or “Admin” role can send email via unfiltered URLs, bypassing the automatic checks.

What’s the risk?

In the event of an unfiltered_html setting enabled and a URL-based cross-site scripting attack, all users with the “High-Risk” or “Admin” role can send email via unfiltered URLs.

In the event of an unfiltered_email setting enabled and an email-based cross-site scripting attack, all users with the “High-Risk” or “Admin” role can send email via unfiltered URLs, bypassing the automatic checks.

The risk is increased when both settings are enabled because any user with a High Risk or Admin role can send mail via uncheckable URLs and bypass the automated checks.

Summarize the Results of our Vulnerability Scan

Our vulnerability assessment of unfiltered_html revealed that, when fully enabled, it provides an attacker with a way to circumvent the checks for potential cross-site scripting attacks. Additionally, vulnerabilities in conjunction with unfiltered_email and unfiltered_url provide attackers with an opportunity to send email or perform malicious actions via these channels.

How to use HTML in URLs

If you are using WordPress, the easiest way to make sure that URLs do not contain malicious HTML tags is by enabling the “unfiltered_html” setting in your wp-config.php file.

If your website is hosted on a server accessed by other users, then you must manually check for potential cross-site scripting attacks by entering the following command:

https://example.com/

False Positives: How Unfiltered Links Can Lead To Confusion

When the unfiltered_html setting is enabled, any user with the “High-Risk” or “Admin” role can enable it and therefore bypass the automatic checks. These users can then send emails via unfiltered URLs from an email account that notifies them of incoming emails.
However, when a user sends an email via their own system, their server will check for malicious content in the email which includes adding a unique identifier to every message. This allows for a more comprehensive and accurate check on incoming messages.
In contrast, when these special characters are used in an unfiltered URL submission form, they are not checked against a database of known malicious sites. Therefore, a potential security risk is increased by having these characters enabled in your URL submission forms.
Therefore, you should disable the unfiltered_html setting to limit this security risk.

Timeline

Published on: 09/26/2022 13:15:00 UTC
Last modified on: 09/27/2022 03:47:00 UTC

References

• https://wpscan.com/vulnerability/3505481d-141a-4516-bdbb-d4dad4e1eb01
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3135