Published June 2024
Disclosure: This is an exclusive breakdown, with easy-to-understand language and a practical example, of the CVE-2022-3829 vulnerability found in the popular WordPress plugin, Font Awesome 4 Menus (version ≤ 4.7.).
What is CVE-2022-3829?
CVE-2022-3829 is a vulnerability in the WordPress plugin Font Awesome 4 Menus—a tool installed on thousands of websites to help add Font Awesome icons to WordPress menus, often for design and usability improvements.
In affected versions (≤ 4.7.), certain plugin settings are not sanitized or properly escaped. This means attackers (of a certain level) could inject malicious scripts into the website's backend—even if the WordPress unfiltered_html capability is disabled (such as on multi-site installations).
Any site running Font Awesome 4 Menus v4.7. or earlier.
- Primarily at risk: high-privilege users like admins, but also possible for any user role that can access and modify the plugin’s settings page.
- Notably, the attack works even when "unfiltered_html" is not allowed, which is common on multi-site WordPress setups (like a school or business network).
Why Is This Dangerous?
Stored Cross-Site Scripting (Stored XSS) is a serious security concern. It lets an attacker inject malicious JavaScript which runs in users’ browsers every time they view a certain backend page.
The Core Issue
Some plugin options are saved directly to the database without checking or cleaning up the data ("sanitizing"). So, if an attacker saves JavaScript <script> tags through these settings, they get "saved" by WordPress, and loaded later for everyone to see.
Where Is the Code Vulnerable?
Within the plugin, several settings values are outputted without escaping, e.g., directly echoing user-supplied values. Imagine something like:
// Abstract example of potential vulnerability
echo '<input type="text" name="fa4m_menu_class" value="' . $_POST['fa4m_menu_class'] . '" />';
If $_POST['fa4m_menu_class'] contains a string like " onfocus="alert(1)", the browser will execute alert(1) when the input is focused.
However, Stored XSS is often more dangerous when injected JavaScript makes its way into a block that will execute automatically. For instance:
// Example where script injection could occur
echo '<div>' . $settings['custom_field'] . '</div>';
If custom_field contains <script>alert('Hacked!');</script>, this script will run whenever any admin loads this settings page.
`html
Save Changes.
5. Now, every time any admin visits the settings page, the alert pops up. Worse: An attacker can swap the script for something stealing cookies, redirecting users, or worse.
Consider a relevant (simplified) code fragment
// Accepts user input, no sanitization
update_option('fa4m_custom_class', $_POST['fa4m_custom_class']);
// Later in the settings page:
echo '<div>' . get_option('fa4m_custom_class') . '</div>';
Secure way:
WordPress provides built-in functions like esc_html() and sanitize_text_field() to handle this.
// Sanitize user input
update_option(
'fa4m_custom_class',
sanitize_text_field($_POST['fa4m_custom_class'])
);
// Properly escape when outputting
echo '<div>' . esc_html(get_option('fa4m_custom_class')) . '</div>';
Official References
- WordPress Plugin Vulnerabilities: Font Awesome 4 Menus
- CVE Details for 2022-3829
- Plugin’s WordPress.org Repository
## How to Fix/Protect Your Site
1. Immediately update the plugin to latest version.
Remove the plugin altogether if you no longer need it.
3. Audit your admin users; if you see any suspicious options or code in the plugin’s settings, clean it up.
Final Thoughts
Even though this attack requires high-level access, it bypasses WordPress’s built-in HTML restrictions in multi-site scenarios. In a large network, it’s easy to imagine a disgruntled site manager or compromised admin account leveraging this flaw to root the network or persist their access.
Mitigate the risks now: update and audit. Never assume plugin defaults are “safe enough”—especially when security is on the line.
Stay Safe, Stay Updated!
If you want more insights or hands-on help on WordPress security, follow the latest advisories at WPScan and subscribe to security mailing lists.
*For exclusive breakdowns like this, bookmark our blog!*
Timeline
Published on: 01/16/2024 16:15:10 UTC
Last modified on: 01/23/2024 14:01:44 UTC