CVE-2023-5667 - Exploiting Stored Cross-Site Scripting in Tab Ultimate WordPress Plugin — A Deep Dive

WordPress plugin vulnerabilities can put your entire website at risk, and nothing exemplifies this more than CVE-2023-5667. In this article, we’ll look at how a simple bug in the Tab Ultimate plugin (up to v1.3) allows attackers to insert malicious JavaScript into your website. We'll show what causes the issue, how attackers exploit it, and what you can do to protect your WordPress site. Examples, code snippets, and links to official sources are all included.

What is CVE-2023-5667?

CVE-2023-5667 is a Stored Cross-Site Scripting (XSS) vulnerability present in versions <= 1.3 of the Tab Ultimate WordPress plugin.

Versions Affected: 1.3 and earlier

- Vulnerability: Insufficient input sanitization & output escaping on user-supplied shortcode attributes

What Does This Mean?

Any authenticated user with contributor or higher permissions can inject arbitrary JavaScript (or HTML) via plugin shortcodes, which gets stored and then executed every time a user visits the page. This gives attackers a reliable way to target both admins and visitors.

The core feature of Tab Ultimate is to display tabbed content using shortcodes like this

[tab_ultimate title="My Tab"]Content here[/tab_ultimate]

Vulnerable Scenario

When the input to the title attribute (or other attributes) isn’t properly sanitized, anyone who can create or edit posts can inject a payload:

[tab_ultimate title="<script>alert('Hacked!')</script>"]My Tab Content[/tab_ultimate]

Here’s a simplified vulnerable PHP extraction from the plugin (for demonstration only)

// Inside plugin's render function
function render_tab_ultimate($atts, $content = null) {
    $title = $atts['title']; // No sanitization here!
    return '<div class="tab-ultimate"><h4>'.$title.'</h4>'.$content.'</div>';
}
// register shortcode
add_shortcode('tab_ultimate', 'render_tab_ultimate');

Attacker’s malicious shortcode

[tab_ultimate title="<script>alert(document.cookie)</script>"]Hacked![/tab_ultimate]

Log in as contributor user

2. Create or edit a page/post

`

[tab_ultimate title=""]Hello![/tab_ultimate]

Privilege escalation: Attackers can escalate attacks and try to steal admin sessions.

- Wide Impact: All visitors to infected posts/pages are at risk.

Any WordPress website with Tab Ultimate <= 1.3 installed

- Any contributor-level user or above able to create/edit posts

As of writing, CVE-2023-5667 affects all versions up to and including 1.3.

- Check for plugin updates on WordPress.org and upgrade as soon as a patch is released.

Restrict contributor role distribution

- Install a web application firewall (WAF) plugin, such as Wordfence or Sucuri.

Update your plugin code as follows

function render_tab_ultimate($atts, $content = null) {
    $title = esc_html($atts['title']); // Properly encode for output
    return '<div class="tab-ultimate"><h4>'.$title.'</h4>'.$content.'</div>';
}

References

- NVD - CVE-2023-5667
- Wordfence Advisory
- Tab Ultimate Plugin
- OWASP XSS

Final Thoughts

CVE-2023-5667 is a reminder that even small WordPress plugins can open big doors for hackers. If you use Tab Ultimate, take action now: patch, sanitize, and secure your website. Stored XSS vulnerabilities may seem minor, but they can have devastating consequences. Don’t let your WordPress site be the next victim.

Stay safe, update often, and always sanitize user input!

*Have questions about WordPress security or this vulnerability? Comment below or contact me directly for an in-depth security audit.*

Timeline

Published on: 11/22/2023 16:15:00 UTC
Last modified on: 11/28/2023 19:22:00 UTC