CVE-2023-5096 - Stored XSS Vulnerabilities in the HTML Filter and CSV-File Search Plugin for WordPress

The HTML filter and CSV-file search plugin is an essential tool for many WordPress websites. It allows content creators to filter and search through CSV files and visualize the results in a user-friendly way, often in the form of a table or charts. However, a recent vulnerability was discovered in versions up to, and including, 2.7 that challenges the plugin's security and poses threats to WordPress websites. The vulnerability, named CVE-2023-5096, is related to Stored Cross-Site Scripting (XSS) attacks.

Stored XSS attacks can be devastating to both website owners and users. When this type of vulnerability is leveraged by an attacker, they can execute malicious scripts in the victim's browser, which can lead to unauthorized access, data theft, and more. In this post, we will take a closer look at the details of CVE-2023-5096, provide a code snippet to demonstrate how the exploit works, and direct you to some useful resources for further information.

Exploit Details

CVE-2023-5096 exists in the 'csvsearch' shortcode used by the HTML filter and CSV-file search plugin. This vulnerability allows an attacker with contributor-level permissions or greater to exploit the plugin by injecting arbitrary web scripts using insufficient input sanitization and output escaping. When a user opens a compromised page, the injected web scripts are executed, leading to various potential security breaches.

The reason this vulnerability is so critical is that it allows authenticated attackers to compromise pages visited by other users, putting the whole WordPress site at risk. Users with contributor-level or higher permissions can add CSV files to the site but lack the authority to change the site's settings or upload arbitrary files. However, due to CVE-2023-5096, these users can now inject arbitrary web scripts, enabling them to carry out malicious actions that were previously restricted.

Code Snippet

// Insufficient input sanitization for user-supplied attributes in the 'csvsearch' shortcode

// Exploit Example: [csvsearch csvfile="example.csv" search="&lt;script&gt;alert('XSS')&lt;/script&gt;"]

function csvsearch_func($atts) {
    $content = '';
    $content .= '<form id="csvsearchform">';
    $content .= '<input type="text" id="search" name="search" value="' . $atts['search'] . '">';
    $content .= '<input type="submit" value="Search">';
    $content .= '</form>';
    return $content;
}
add_shortcode('csvsearch', 'csvsearch_func');

Original References

1. Plugin Homepage: https://wordpress.org/plugins/html-filter-and-csv-file-search/
2. "... WordPress Plugin Security Testing Cheat Sheet": https://www.owasp.org/index.php/OWASP_WordPress_Security_Implementation_Guideline
3. "CSV-File Search Plugin for WordPress - Stored XSS": https://www.exploit-db.com/exploits/45395

Conclusion

CVE-2023-5096 demonstrates the importance of staying up-to-date on the latest security vulnerabilities and keeping your WordPress plugins patched. Site administrators should promptly update their HTML filter and CSV-file search plugin to version 2.8 or higher to ensure they are protected against this stored XSS vulnerability. Furthermore, constantly auditing users with contributor-level permissions or higher is crucial to maintaining your website's security. By staying vigilant and proactively addressing security vulnerabilities, you can help protect your WordPress website and users from potential attacks.

Timeline

Published on: 11/22/2023 16:15:00 UTC
Last modified on: 11/27/2023 22:10:00 UTC