This cross-site scripting vulnerability can be exploited by remote attackers to compromise the user’s site. News Announcement Scroll is a popular plugin used to create scrolling news feeds on WordPress websites. It has over 2 million active installs and is rated 4.7 out of 5 stars. The default installation of News Announcement Scroll on WordPress websites does not validate user-supplied input before executing code. This makes it possible for an attacker to inject malicious code into the news feed. An attacker could craft a message in the news feed that when viewed by a user would cause the user to visit an external website or consume malicious content. In case of XSS, the malicious code will be executed in the user's browser. XSS can be particularly dangerous as it is often enabled through third-party plugins which are not directly controlled by the website administrator. This makes it easy for an attacker to inject malicious code into the news feed of a WordPress website.
Description of the vulnerability
News Announcement Scroll is a popular plugin used to create scrolling news feeds on WordPress websites. The default installation of News Announcement Scroll on WordPress websites does not validate user-supplied input before executing code. This makes it possible for an attacker to inject malicious code into the news feed by crafting a message in the news feed that when viewed by a user would cause the user to visit an external website or consume malicious content. In case of XSS, the malicious code will be executed in the user's browser. XSS can be particularly dangerous as it is often enabled through third-party plugins which are not directly controlled by the website administrator. This makes it easy for an attacker to inject malicious code into the news feed of a WordPress website.
Vulnerability description
The vulnerability exists in the plugin because it does not validate user-supplied input before executing code. The vulnerability is triggered when a user enters an inline JavaScript expression in the HTML source of the news feed.
News Announcement Scroll – Cross Site Scripting Vulnerability
WordPress is a popular content management platform which has over 50% of the total internet market share. It was initially released in 2003 and is still running strong, with over 29% of websites using WordPress. News Announcement Scroll is a plugin that is used to create scrolling news feeds on WordPress websites. This plugin has over 2 million active installs and is rated 4.7 out of 5 stars on the WordPress plugins website.
The default installation of News Announcement Scroll on WordPress websites does not validate user-supplied input before executing code making it possible for an attacker to inject malicious code into the news feed. By crafting a message in the news feed that when viewed by a user would cause them to visit an external website or consume malicious content, an attacker could compromise the site and inject malicious content into the site’s internal pages.
This cross-site scripting vulnerability can be exploited by remote attackers to compromise the user’s site by injecting arbitrary script codes into text boxes in their blog posts or other public areas.
References
Exploitation Path:
1) CVE-2022-40694
2) https://wordpress.org/plugins/news-announcement-scroll/
3) Source code of the plugin
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 00:40:00 UTC