CVE-2023-5774 - Uncovering the Stored XSS Vulnerability in the Animated Counters WordPress Plugin

CVE-2023-5774 is a critical security vulnerability that affects the Animated Counters plugin for WordPress. In this long read post, we will be giving you a detailed analysis of this vulnerability, a code snippet showing the vulnerable portion of the plugin, along with links to relevant original references and exploit details. This vulnerability has the potential to allow attackers with contributor-level permissions or higher to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page.

The Animated Counters plugin for WordPress is a popular tool that allows you to easily create and insert animated counters into your WordPress site. However, all versions up to and including version 1.7 of this plugin are vulnerable to Stored Cross-Site Scripting (also known as Stored XSS).

A Stored XSS attack is accomplished when an attacker manages to store a malicious script within a website's database. This script is then executed by the browser of any user who accesses a webpage containing the stored script. Since the attacker-supplied code is being executed in the context of a user's browser, it can be used to carry out a wide range of malicious activities, such as accessing sensitive information, manipulating site content, and even performing actions on behalf of the user.

The vulnerability in the Animated Counters plugin is due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode(s). A well-crafted shortcode could be used to inject arbitrary web scripts into a WordPress page.

To better understand the vulnerability, let us look at a code snippet from the affected plugin

function dani_animation_shortcode($atts){
	extract(shortcode_atts(array(
		'animation' => '',
		'id' => '',
	), $atts));

	return '<div class="counter" id="' . $id . '" data-animation="' . $animation . '"></div>';
}

In the code snippet above, the dani_animation_shortcode function is responsible for processing the plugin's shortcode(s). As you can see, the $atts variable represents the user-supplied attributes, while $id and $animation are directly inserted into the output HTML without any validation or output escaping.

This means that an attacker with contributor-level permissions or higher could simply use a shortcode like this to inject a malicious script into a WordPress page:

[animated_counter id="mce_temp_url#" onclick="alert('XSS');" data-animation=""]1[/animated_counter]

Now, every time a user accesses a page containing the injected shortcode, the script would execute – for example, causing an alert popup with the message 'XSS' in this case.

To protect your WordPress site from this vulnerability, it's crucial to update the Animated Counters plugin to the latest version as soon as possible. Alternatively, you could disable the plugin entirely until the developers have released a patch addressing this issue.

For further information and original references regarding CVE-2023-5774 and the Animated Counters plugin vulnerability, we recommend checking out the following resources:

1. CVE-2023-5774 - NVD (National Vulnerability Database)
2. OWASP Top Ten Project - Cross-Site Scripting (XSS))
3. WordPress Plugin Security - Developer Guidelines

In conclusion, the Stored XSS vulnerability in the Animated Counters WordPress plugin (CVE-2023-5774) exposes websites to potentially dangerous exploits. It is crucial that administrators take action to protect their sites by updating the plugin or disabling it until a patch is released. Keeping your site and plugins up-to-date is an essential part of maintaining a secure online presence.

Timeline

Published on: 10/27/2023 11:15:00 UTC
Last modified on: 11/07/2023 04:24:00 UTC