CVE-2023-5163 - Stored XSS in Weather Atlas Widget WordPress Plugin (<= 1.2.1) – Simple Exploit Guide
Intro
In January 2024, a serious security flaw was found in the popular WordPress plugin, Weather Atlas Widget. Registered as CVE-2023-5163, this bug exposes websites using this plugin (up to version 1.2.1) to Stored Cross-Site Scripting (XSS) attacks. Let’s break down how this vulnerability works, how it can be exploited, and the steps you should take to secure your site.
What is the Weather Atlas Widget Plugin?
Weather Atlas Widget adds customizable weather data to WordPress sites courtesy of a draggable widget and a handy shortcode: [shortcode-weather-atlas]. Used widely for travel blogs, news, and community portals, it’s a common add-on.
The Vulnerability: Stored Cross-Site Scripting via Shortcode
CVE-2023-5163 is a stored XSS flaw. The root cause is insufficient sanitization and lack of proper escaping for user-supplied attributes in the plugin’s shortcode handler. Here’s the catch: Any logged-in user with at least contributor role can inject arbitrary JavaScript that gets stored in the page and runs whenever someone visits it.
Why is this bad?
Stored XSS is one of the most dangerous web vulnerabilities. Malicious JavaScript can be used to steal user cookies, deface pages, or add fake login forms to capture passwords.
Technical Details: The Exploit
The attack centers on WordPress’ shortcode system. Attackers can craft a page or post using the vulnerable [shortcode-weather-atlas] shortcode and inject JavaScript with specially crafted parameter values.
Example of a malicious shortcode
[shortcode-weather-atlas location='New York' label='" onmouseover="alert(1)" data="']
When that shortcode is viewed, the label attribute is output to the page without escaping. The quote characters and event handler are interpreted as part of the HTML, and the onmouseover="alert(1)" code is executed when a user hovers on the label.
Saves the draft or publishes the page.
4. Any user (including admins) who visits the post and moves their mouse over the weather label triggers alert(document.cookie) — demonstrating cookie-stealing potential.
Here’s a direct example to use in a vulnerable setup
[shortcode-weather-atlas location='London' label='Weather" style="background:yellow" onmouseover="alert(\'Hacked\')" data="']
When a viewer mouses over "Weather", a pop-up with Hacked appears — clear sign the code is executed.
The plugin does not sanitize special HTML characters in user-supplied attributes.
- It outputs the parameter directly into HTML without using WordPress’ built-in escaping functions (like esc_html() or esc_attr()).
Reference & More Information
- CVE-2023-5163 CVE Detail
- Plugin Download Page
- Wordfence Advisory
What To Do: Fix & Mitigation Steps
1. Update Immediately: Upgrade Weather Atlas Widget to the latest version available. If in doubt, disable the plugin until you can patch.
2. Check for Suspicious Content: Review any pages or posts created by contributors or editors since your last update.
3. Use Security Tools: Install security plugins like Wordfence to monitor XSS and other threats.
Conclusion
CVE-2023-5163 is dangerous because it gives lower-privileged WordPress users a way to attack your website visitors. Always keep plugins updated and practice least-privilege access for site contributors. Stored XSS is preventable: plugin authors must always sanitize and escape user input!
*Have you secured your site after this bug? Let us know if you need help!*
*This post is an exclusive guide written for educational and awareness purposes. Don’t use these instructions for unauthenticated attacks or without permission.*
Timeline
Published on: 11/22/2023 16:15:10 UTC
Last modified on: 11/27/2023 22:10:37 UTC