CVE CyberSecurity Database News

CVE-2023-47808 - Exploiting XSS in Christina Uechi Add Widgets to Page Plugin <= 1.3.2

Poster -

A new dangerous vulnerability—CVE-2023-47808—has been discovered in the “Add Widgets to Page” WordPress plugin by Christina Uechi, affecting all versions up to and including 1.3.2. This flaw allows a hacker to perform Cross-Site Scripting (XSS) attacks, which can let them steal cookies, hijack sessions, or even perform actions as the victim user. In plain English: if your WordPress site uses this plugin, it’s at risk until you update the plugin.

In this article, we'll break down the vulnerability, provide proof-of-concept code, walk you through possible exploitation, and reference the original sources for further reading.

What Is the Add Widgets to Page Plugin?

Add Widgets to Page is a popular WordPress plugin that enables users to insert widgets anywhere on posts or pages using shortcodes. This is pretty handy, but if it's not coded securely, it can end up exposing your site to hackers.

About CVE-2023-47808

The vulnerability, CVE-2023-47808, is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). That’s a fancy way of saying the plugin does not sanitize or escape user-supplied inputs properly when generating web pages—opening the door for malicious JavaScript to run in other users’ browsers.

Vulnerable versions: ≤ 1.3.2

- Patched in: N/A (at time of writing; always check the plugin changelog for updates)
- CVE page: NVD listing for CVE-2023-47808

How Does the Vulnerability Work?

Shortcodes are a common feature in WordPress. With this plugin, you can add [widgets_on_pages id=1] to display widgets wherever you want. The vulnerability arises because certain parameters for the shortcode aren't properly sanitized. If an attacker can insert malicious JavaScript via these parameters, anyone visiting the compromised page or post will have that code executed in their browser.

Let’s look at a simple exploit example.

Suppose you have a vulnerable site with this plugin active, and the attacker can create or edit posts (for example, if you allow user-submitted posts, or if an admin’s account is compromised).

Code Snippet

[widgets_on_pages id="1" page_title="<script>alert('XSS')</script>"]

If the plugin does not escape the page_title parameter, when the page is visited, a JavaScript popup box saying "XSS" will appear. In real attacks, attackers may try to steal session cookies or perform other malicious actions.

`

[widgets_on_pages id="1" page_title=""]

`

2. View the page as an unsuspecting user/admin.

How to Fix

- Update the plugin: Check for updates on the official plugin page.

Technical Details (for Researchers)

The vulnerability centers on a lack of output escaping/sanitization when rendering certain shortcode parameters. Usually, WordPress functions like esc_html() or esc_attr() should be used to handle user input, but in this case, they are missing or incomplete.

Sample vulnerable code

echo $_GET['page_title']; // Dangerous! Should be escaped.

Secure way

echo esc_html($_GET['page_title']); // Safe.

References

- NVD: CVE-2023-47808
- WPScan entry
- Plugin homepage
- WordPress guide on XSS

Conclusion

CVE-2023-47808 is a serious risk for any WordPress site using Add Widgets to Page plugin ≤ 1.3.2. If you’re affected, update or disable the plugin ASAP. Always keep your plugins up to date and limit user capabilities wherever possible.

Timeline

Published on: 11/22/2023 22:15:08 UTC
Last modified on: 11/28/2023 19:27:25 UTC