CVE-2023-47184 - Exploiting Stored XSS in Admin Bar & Dashboard Access Control WordPress Plugin (<=1.2.8)

If you manage WordPress sites and use the popular Admin Bar & Dashboard Access Control plugin by Proper Fraction LLC, it’s time to pay attention. A critical vulnerability tracked as CVE-2023-47184 was disclosed affecting plugin versions up to (and including) 1.2.8. This flaw allows an attacker with admin privileges or higher to carry out Stored Cross-Site Scripting (XSS) attacks inside your WordPress dashboard. Let’s break down the details, see how exploitation works, and discuss how you can stay safe.

What is CVE-2023-47184?

CVE-2023-47184 refers to an "Authentication Required (admin+) Stored Cross-Site Scripting (XSS)" vulnerability discovered in the Admin Bar & Dashboard Access Control plugin, up to version 1.2.8. It means a logged-in user with admin or higher access can inject malicious JavaScript which gets saved ("stored") and later executed in the browser of any user who views the affected page, including other admins.

A successful attacker could

- Steal cookies/session tokens of fellow admins,

Execute any admin-level action in the context of the victim’s account.

Even though you already need admin, this opens the door for rogue employees, compromised admin accounts, or MultiSite scenarios.

How Does the Exploit Work?

The flaw lies in improper sanitization and escaping of user input when storing admin settings. Specifically, the plugin doesn't properly clean up content before saving or displaying it in the backend dashboard.

Example Exploit (Proof-of-Concept)

Let’s say you’re an admin, and you edit plugin settings via the dashboard. In a vulnerable version, input in a specific text field (like custom message) isn't sanitized before saving or when rendered.

WP-Admin > Settings > Admin Bar & Dashboard Access Control

2. Find a field like “Custom Message” or similar text/HTML input.

`html

Save changes.

5. Visit or reload the settings/dashboard page — the alert fires.

Here’s what it looks like in plugin source code (simplified for readability)

// Vulnerable code in plugin for outputting user input:
echo get_option('abac_custom_message'); // No escaping!

How it should be

echo esc_html(get_option('abac_custom_message')); // Proper escaping

References

- Plugin Homepage
- Original Vulnerability Disclosure (Patchstack)
- CVE Entry (NVD)
- Official Patch Release

If you use this plugin

- Update immediately to version 1.2.9 or later from the plugin repository.
- Review plugin settings for any unexpected scripts/markup.

Conclusion

CVE-2023-47184 is a clear reminder: even trusted plugins can contain dangerous flaws! While this requires admin-level privileges, the risks in shared/multi-admin setups are real and potentially disastrous. Patch, review, and always keep an eye on plugin changelogs — your WordPress site security depends on it.

Timeline

Published on: 11/06/2023 10:15:08 UTC
Last modified on: 11/14/2023 17:04:27 UTC