CVE-2022-44586 highlights a critical authenticated stored Cross-Site Scripting (XSS) vulnerability found in the Ayoub Media AM-HiLi plugin (version <= 1.) for WordPress. The vulnerability stems from a lack of proper input sanitization, allowing malicious users with admin+ privileges to inject malicious scripts into the application. Upon execution, these scripts could potentially steal sensitive information or compromise the entire site.
In this deep-dive post, we will discuss the root cause of this vulnerability, provide code snippets and links to original references, and outline the available exploits and mitigation steps. Let's get started.
Vulnerability Details
The vulnerable plugin, Ayoub Media AM-HiLi, is meant to help users highlight and style specific keywords/strings within the posts and pages of their WordPress site. However, due to insufficient input sanitation and output encoding during the processing of user-submitted data, attackers with admin+ privileges can inject malicious JavaScript code when adding new keywords or modifying existing ones. Once saved, any user browsing a page that contains the injected code will unknowingly execute the malicious script in their browser, potentially leading to account compromise or other malicious activities.
Exploit
The exploitation of this vulnerability is quite straightforward. An attacker with administrative access to the affected WordPress installation simply needs to inject a malicious JavaScript payload into any of the keywords being highlighted by the plugin.
For example, suppose the attacker wants to create an alert box displaying the message "You've been hacked". In that case, they could use the following malicious keyword:
<script>alert('You\'ve been hacked');</script>
Once this keyword is saved and displayed on the front-end of the site, any user who visits a page containing the injected keyword will trigger the malicious script in their browser.
Proof of Concept (PoC) Code Snippet
The following code snippet is a simple proof-of-concept showing a crafted HTTP request an attacker could use to exploit the vulnerability:
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 210
Connection: keep-alive
Host: vulnerablewordpress.com
action=am-hili-highlighting&operation=add_keyword&shortcode=on&keyword=%3Cscript%3Ealert%28%27You%5C%27ve+been+hacked%27%29%3B%3C%2Fscript%3E&bgcolor=%23ff000&fontcolor=%23ffffff&_ajax_nonce=xxxx
This request sends the required parameters to create a new malignant keyword within the Ayoub Media AM-HiLi plugin.
The original disclosure and details about this vulnerability can be found in the following links
- CVE-2022-44586 Official CVE Record
- Ayoub Media AM-HiLi Plugin Homepage
- NVD – National Vulnerability Database Information
Mitigation
The most effective way to mitigate the risks posed by this vulnerability is to update the AM-HiLi plugin as soon as possible. In the meantime, administrators should restrict access to the keyword management of the plugin by assigning only trusted users with administrative privileges.
Conclusion
CVE-2022-44586 is a prime example of the importance of proper input and output handling within web applications, especially for plugins in popular content management systems like WordPress. Always keep your plugins up-to-date, restrict access to sensitive features, and continuously monitor for new vulnerabilities and threats to ensure the safety of your site and user data.
Timeline
Published on: 11/02/2022 22:15:00 UTC
Last modified on: 11/04/2022 01:55:00 UTC