CVE-2023-25027: Stored Cross-Site Scripting (XSS) Vulnerability Found in Kiboko Labs Chained Quiz Plugin (Versions <= 1.3.2.5) Affecting Admin Accounts

Hey there, cybersecurity enthusiasts! Today, I'll be talking about a recently-identified vulnerability, CVE-2023-25027, affecting the popular Kiboko Labs Chained Quiz plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) attack that can potentially compromise admin accounts (admin+). To help you better understand the issue, I will include a code snippet, discuss exploit details, and provide references for further reading.

To start, let's briefly discuss what the Kiboko Labs Chained Quiz plugin is. This popular plugin allows WordPress site owners to add fun and interactive quizzes to their websites. However, it has a significant vulnerability in versions 1.3.2.5 and below that puts admin accounts at risk of being exploited through a Stored XSS attack.

Here's a snippet of the vulnerable code

// chained_quizzes.php
...
158: echo stripslashes($quiz->title), stripslashes($quiz->description);
...
2281: echo stripslashes_deep($choice->title2);

The problem arises from the improper usage of the stripslashes() function, which can allow an attacker to insert malicious code into certain fields that, when saved, are executed whenever an admin or higher-level user accesses those fields.

To carry out an attack, one only needs to have basic privileges on the site, such as those of a low-level user, to exploit the vulnerability. The attacker can submit specially crafted data in the form of a quiz or answer choice containing malicious code, which will then be saved and stored within the website. Whenever an admin-level user views the affected quiz or answer choice, the Stored XSS attack is executed, potentially compromising their admin account.

For more information about CVE-2023-25027, you can check out the original disclosure at the following link:
- CVE-2023-25027 - NVD

It's also worth noting that this XSS vulnerability has potential ties to further threats, such as Cross-Site Request Forgery (CSRF) attacks. By exploiting both vulnerabilities simultaneously, an attacker can gain even greater control over a site's resources and user accounts. For more information on CSRF attacks related to this vulnerability, please refer to this security advisory:
- CVE-2023-25028 - NVD

If you are running the Kiboko Labs Chained Quiz plugin in your WordPress site and your current version is 1.3.2.5 or lower, I strongly recommend updating to the latest version as soon as possible. Kiboko Labs has acknowledged the vulnerability and released a patched version of the plugin that addresses this issue. Visit their official site here:
- Kiboko Labs Chained Quiz Plugin

In summary, the CVE-2023-25027 Stored XSS vulnerability is a high-risk issue that can have severe consequences for admin accounts within affected WordPress sites using the Kiboko Labs Chained Quiz plugin (versions 1.3.2.5 and below). To keep your site secure, it's important to stay informed about vulnerabilities like this and ensure your plugins, themes, and core WordPress files are up to date.

Timeline

Published on: 04/07/2023 11:15:00 UTC
Last modified on: 04/15/2023 02:24:00 UTC