CVE-2023-23702 - How a Simple XSS Flaw in Pixelgrade Comments Ratings Lets Admins Plant Dangerous Scripts

In January 2023, a critical vulnerability was discovered in the *Pixelgrade Comments Ratings* WordPress plugin, affecting versions up to 1.1.7. This flaw—assigned CVE-2023-23702—enables administrators to store malicious JavaScript (XSS) in comments, which runs as soon as other admins view the affected page. Let's break down what this means, how it works, and why you should care, even if you only allow trusted users on your website.

What is Pixelgrade Comments Ratings?

Pixelgrade Comments Ratings is a WordPress plugin that lets users add star ratings to their comments. It’s especially useful for review sites, recipes, or any blog where comment feedback matters.

What is CVE-2023-23702?

CVE-2023-23702 is a *Stored* Cross-Site Scripting (XSS) vulnerability in Pixelgrade Comments Ratings. Here’s what’s notable about it:

(e.g., stealing cookies, session hijack, actions as admin)

Reference:
- WPScan Advisory
- Plugin changelog
- NVD Entry

How Does the Exploit Work?

The main issue is that the plugin fails to sanitize certain comment content before saving. An attacker (with admin+ access) can inject JavaScript, and when another admin views the page (like in the admin dashboard), the script executes.

Plugin saves it to the database without removing or encoding the script.

3. When any admin views the comment (in the dashboard or frontend), the malicious code runs in their browser context—acting with their privileges.

A look at the (simplified) vulnerable code pattern

// Vulnerable: $comment_content comes from input
$comment_id = wp_insert_comment( array(
    'comment_content' => $_POST['comment_content'],
    // ...other fields
) );

// No sanitization or escaping here

If you submit a comment like

<script>alert('XSS');</script>

The script is inserted into the database *as-is* and will execute when someone views the comment.

Proof of Concept (PoC) Exploit

Below is a real-world exploit you could perform if you’re an admin (for test/education purposes only):

`

3. After submitting, any other admin who views this will have their browser execute the code, sending their cookies to the attacker’s domain.

WordPress sites may have multiple admins, or plugins that grant temporary admin.

- If an attacker gets *any* admin access (via phishing or weak password), they can escalate and compromise all other admins.

Pixelgrade released version 1.1.8 with a patch

- Upgrade now: Plugin download
- If you must stay on an old version, never allow untrusted admins or manually sanitize comment content.

Conclusion

CVE-2023-23702 reminds us that even plugins meant for “trusted” users can be dangerous if not coded securely. Whenever a plugin lets you input content, make sure it can't store executable code—no matter who the user is.

References:
- WPScan: CVE-2023-23702
- NVD Entry
- Official plugin fix

Timeline

Published on: 11/06/2023 10:15:00 UTC
Last modified on: 11/14/2023 15:27:00 UTC