When it comes to the security of a WordPress website, plugins often become the weak link. One such plugin, Spacer, designed to help you add space to your posts and pages, unfortunately left a dangerous gap open for attackers. This long read will walk you through CVE-2022-3618, show you code snippets, reference the root sources, and give you an exclusive, simplified explanation of the exploit at hand.
What is CVE-2022-3618?
CVE-2022-3618 refers to a security flaw in the Spacer plugin for WordPress up to version 3..6. The issue? The plugin did not properly sanitize or escape its settings in the WordPress backend. As a result, even admins who aren’t allowed to post raw HTML (that is, those with the unfiltered_html capability disabled—like on multisite networks) could inject malicious JavaScript, which would then execute for any admin who views the settings.
- Plugin: Spacer WordPress Plugin
Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Discovered by: WPScan Team
- CVE: CVE-2022-3618
Why Is This a Big Deal?
Usually, WordPress restricts “untrusted” users from adding unsafe HTML or scripts with the unfiltered_html capability. However, in a multisite setup, even administrators can have this permission removed for added security.
That’s what made the CVE-2022-3618 issue so dangerous: high-privilege users (like admins) could store XSS payloads, even if they weren’t supposed to have the permissions to do it. This essentially bypassed WordPress’s built-in safety nets.
How Did the Vulnerability Work?
When an admin user saved settings in the Spacer plugin (for instance, setting the default unit, or label), those values were saved directly, without proper sanitization or escaping. If an attacker inserted JavaScript into a field, it would be executed when another admin viewed the settings.
Let's say the Spacer plugin allows you to save a label like
<script>alert('Hacked!');</script>
The plugin, prior to 3..7, did not properly filter this input. So, when another admin loaded the settings page, the <script> tag would execute in their browser.
When another privileged user visits the settings page, the XSS triggers.
This is an example of Stored XSS (the malicious payload is stored in the database and delivered to future users).
The Core Bug in Code
While we don't have the exact function from the plugin's code, the problem usually looks like this in PHP:
// BAD: No sanitization or escaping
update_option('spacer_label', $_POST['spacer_label']);
A secure approach must sanitize and escape user input
// GOOD: Sanitize and escape user input
$label = sanitize_text_field($_POST['spacer_label']);
update_option('spacer_label', $label);
Or, when outputting to HTML
// BAD: Direct output
echo get_option('spacer_label');
// GOOD: Escape for HTML output
echo esc_html(get_option('spacer_label'));
How Was It Fixed?
The plugin authors released version 3..7 to fix the issue. After the fix, user-submitted input is sanitized and output is escaped, blocking scripts and unwanted HTML.
Proof-of-Concept (PoC) Exploit
Here’s a practical example to illustrate the exploit. This is for educational purposes only!
1. Log in as an administrator (but NOT super admin) on a multisite WordPress.
2. Go to Settings > Spacer.
3. In the "Default Unit" or "Label" field, paste:
<img src="x" onerror="alert('XSS')">
4. Save changes.
5. Any admin who views the settings will see the alert.
Links & References
- WPScan Advisory Entry
- Spacer Plugin on WordPress.org
- National Vulnerability Database Entry
- OWASP: Cross-site Scripting (XSS)
Update the Spacer plugin to 3..7 or higher.
2. Use the Principle of Least Privilege: Don’t give admin rights widely, and use super admin only for trusted users.
Closing Thoughts
CVE-2022-3618 teaches us an important lesson: attackers look for the smallest gaps—even in plugins that just place spaces on your pages. Always update your plugins and check for security advisories regularly. If you’re running a multisite, lock down sensitive capabilities and educate your users about plugin risks.
If you want to see more real-world plugin flaws explained simply, let us know!
Stay safe. Update plugins. Never trust user input.
*This guide is exclusive and written for easy understanding. Please use the information responsibly—always for defense, never for attack!*
Timeline
Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 17:47:00 UTC