CVE-2023-45607: Stored Cross-Site Scripting (XSS) Vulnerability in Hector Cabrera WordPress Popular Posts Plugin for Versions <= 6.3.2

WordPress is the world's most popular Content Management System (CMS) with more than 415 million active websites. Plugins are like apps for WordPress, and they significantly extend the functionality of the platform. Unfortunately, some plugins may contain vulnerabilities that can be exploited by malicious actors. One such vulnerability has been discovered in the WordPress Popular Posts plugin developed by Hector Cabrera.

The vulnerability is a stored Cross-Site Scripting (XSS) vulnerability that affects Hector Cabrera WordPress Popular Posts plugin versions <= 6.3.2. It was assigned as CVE-2023-45607. Stored XSS vulnerabilities occur when an attacker can inject malicious code into web applications, which is then stored and executed by unsuspecting users, enabling the attacker to compromise user accounts, redirect users to malicious sites, and perform other malicious activities.

In this long-read post, we will dive deep into this vulnerability, examining the code snippet, understanding the original references, and outlining the exploit details. We will also provide recommendations to mitigate risks associated with this vulnerability.

Code Snippet

The vulnerability exists in the wpp-thumbnail parameter, which can be exploited through the [wpp] shortcode. This parameter allows an attacker to inject malicious scripts that will be executed when the vulnerable page is loaded.

Here is a code snippet illustrating the vulnerability

// Hector Cabrera WordPress Popular Posts plugin <= 6.3.2
function get_popular_posts_shortcode(array $atts) {
    // ...
    $params = shortcode_atts([
        'id' => '',
        // ...
        'wpp-thumbnail' => NULL,
        // ...
    ], $atts);

    // ...

    // Process these attributes
    if (!is_null($params['wpp-thumbnail'])) {
        $params['thumbnail'] = $params['wpp-thumbnail'];
    }

    // ...
}

As seen in the code snippet, the wpp-thumbnail parameter is not sanitized, allowing for the injection of malicious scripts.

The vulnerability was brought to light by several reputable security researchers and organizations

1. Wordfence: Stored XSS Vulnerability Patched In WordPress Popular Posts Plugin
2. CVE Details: CVE-2023-45607
3. National Vulnerability Database: CVE-2023-45607
4. [wpp wpp-thumbnail="<script>alert('XSS'" rel="nofollow">WordPress.org: WordPress Popular Posts Plugin Changelog for 6.4.;</script>"] By injecting the above code, a successful XSS attack could occur, enabling the attacker to steal users' authentication cookies, access their accounts, redirect them to malicious websites, steal sensitive information, and carry out other harmful actions.

To protect against this vulnerability

1. Update to WordPress Popular Posts plugin version 6.4. or later, as this version patches the vulnerability.
2. Implement strict input validation and sanitation on all user inputs, including those passed through the plugin's shortcodes.

Use a Web Application Firewall (WAF) to block malicious requests and scripts.

4. Regularly audit and update all plugins and themes in the WordPress environment to patch vulnerabilities as they are discovered.

Stay vigilant and prioritize security to ensure the safety of your WordPress site and protect your users from potential harm.

Timeline

Published on: 10/18/2023 14:15:09 UTC
Last modified on: 10/25/2023 01:26:18 UTC