CVE-2022-40215 The Tabs plugin has 3 XSS vulnerabilities. 3.7.1

XSS is a type of cyber attack which allows hackers to inject malicious code into trusted web application. This code can be triggered by an attacker to steal sensitive information or to redirect a victim’s session to phishing website. Tabs plugin is used to create new tab on WordPress admin panel. Therefore, it is very easy for any attacker to inject malicious code into any Tabs. An attacker can use XSS to steal sensitive information like usernames, password, email id, etc. An attacker can also redirect a victim’s session to phishing website. For example, an attacker can use XSS to redirect a victim’s session to Gmail login page. In conclusion, XSS can be used by an attacker to either steal sensitive information or redirect a victim’s session to phishing website. XSS can be easily exploited if Tabs plugin is not properly configured. Therefore, we recommend installing latest version of Tabs plugin.

How to get access to WordPress Tabs plugin?

The easiest way to get access to WordPress Tabs plugin is by installing it from WordPress.org website.
Once you install the latest version of Tabs plugin, activate the plugin and then go to options and check the “Disable all other tabs” option. This will make sure that no other tabs are created on your website.
This should solve the problem of XSS vulnerability in WordPress Tabs plugin.

Tabs plugin: How to check if it is vulnerable?

As we discussed in this article, Tabs plugin is vulnerable to XSS attack. To check if it is vulnerable to XSS attack or not, you should follow these steps:
1) Go to Plugins->Add New->Upload and select tabs.php file from FTP.
2) After that, click on "Options" tab and scroll down the page till you find "X-Frame-Options". If this field has value of "DENY", then Tabs plugin is not vulnerable to XSS attack. If this field has value of "SAMEORIGIN", then Tabs plugin is vulnerable for XSS attack.

Tabs plugin is vulnerable to XSS

Although you can use Tabs plugin to create new tab on WordPress admin panel, it is still vulnerable to XSS. An attacker can easily exploit this vulnerability by injecting malicious code into any Tabs. In general, attackers inject malicious code in the form of HTML and JavaScript. In order to avoid such attacks, we recommend installing latest version of Tabs plugin.

Timeline

Published on: 09/23/2022 16:15:00 UTC
Last modified on: 09/26/2022 15:05:00 UTC

References

• https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-3-7-1-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities/_s_id=cve
• https://wordpress.org/plugins/vc-tabs/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40215