CVE-2022-3392 - Stored Cross-Site Scripting Vulnerability in WP Humans.txt WordPress Plugin

A new vulnerability, identified as CVE-2022-3392, has been discovered in the WP Humans.txt WordPress plugin, versions up to and including 1..6. This vulnerability allows high privilege users, such as administrators, to perform stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed. This is particularly concerning in multisite setups where administrators may have limited privileges.

In this blog post, we will discuss the details of CVE-2022-3392, provide code snippets that demonstrate the vulnerability, and link to original references for further understanding. The goal is to raise awareness about this security issue and provide information for web administrators and developers to take action in securing their WordPress installations.

Description of CVE-2022-3392

The WP Humans.txt plugin allows WordPress site administrators to manage a humans.txt file, which provides information about the site's developers and contributors. It is installed on thousands of WordPress sites globally.

Unfortunately, the plugin does not properly sanitize and escape some of its settings. As a result, high privilege users can inject malicious code into the plugin's settings, leading to stored XSS attacks. This can occur even when the unfiltered_html capability is disallowed, making this vulnerability particularly concerning.

The following code snippet highlights the affected settings in the WP Humans.txt plugin

function print_humanstxt() {
$options = get_option( 'humanstxt_settings' );
$humanstxt_content = $options['humanstxt_content'];
header('Content-Type: text/plain');
echo $humanstxt_content;
exit;
}

In the above code, the $humanstxt_content setting value is not sanitized or escaped, allowing high privilege users to inject malicious scripts that are executed when a visitor views the humans.txt file.

Exploit Details

An attacker with administrator privileges can exploit this vulnerability by injecting malicious JavaScript code into the $humanstxt_content while affecting the WP Humans.txt plugin settings. When a visitor to the WordPress site views the humans.txt file, the malicious code will execute in their browser, potentially compromising the visitor's data and allowing the attacker to perform further malicious activities.

To exploit this vulnerability, an attacker could use the following JavaScript payload

<script>alert("XSS Payload Executed!");</script>

For more detailed information on CVE-2022-3392, refer to the following sources

1. CVE-2022-3392: National Vulnerability Database (NVD)
2. WPScan Vulnerability Database Entry
3. WP Humans.txt WordPress Plugin Repository

To protect your WordPress site from this vulnerability, take the following steps

1. Update the WP Humans.txt plugin to version 1..7 or later. The plugin's developers have been notified of this vulnerability, and a patch is expected to be released soon.
2. Limit the number of users with administrative privileges on your WordPress site, and ensure that only trusted users have access to these permissions.
3. Consider using security plugins and tools that help protect your WordPress site from XSS attacks and other vulnerabilities.

Conclusion

CVE-2022-3392 is a critical vulnerability in the WP Humans.txt WordPress plugin, potentially exposing thousands of websites to stored XSS attacks. As always, it is important to keep your plugins up-to-date and follow best security practices to minimize the risk of exploitation.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 01:46:00 UTC