CVE CyberSecurity Database News

CVE-2023-5817 - Exploiting Stored XSS in Neon Text WordPress Plugin (Version <= 1.1)

Poster -

If you’re running a WordPress website with the Neon Text plugin (versions 1.1 or below), you could be at risk of a serious security issue: Stored Cross-Site Scripting (XSS). This vulnerability, tracked as CVE-2023-5817, is a great example of how missing user input checks can put sites – and their users – in harm’s way. In this post, I’ll break down what’s happening with this bug, show you a straightforward exploit, and point you to authoritative references.

What is CVE-2023-5817?

This is a stored XSS (Cross-Site Scripting) vulnerability in the Neon Text plugin for WordPress (to version 1.1). Stored XSS is dangerous: a malicious user can inject JavaScript (or other scripts) into pages that other users visit.

How? The plugin provides a [neontext_box] shortcode, which is supposed to make cool neon-styled text. However, one of its attributes—color—doesn’t get sanitized or escaped properly.

Any authenticated user with at least Contributor rights (meaning, not just admins!)

- They simply add a customized [neontext_box] shortcode to any post/page.

What’s at risk?

- All users who visit a post/page with the malicious shortcode will have scripts run in their browser, potentially exposing cookies, login info, or letting hackers deface pages, create fake forms, or redirect to phishing sites.

Let’s imagine a contributor creates a new post or page, and inserts this shortcode

[neontext_box color='" style="color:red;" onmouseover="alert(1)"']Important</span>

Actual HTTP Request

If you add the malicious shortcode to a post and publish it, anyone who hovers over the neon text on your page will trigger alert(1). In the real world, attackers will do much more than just pop up an alert—they might steal your cookies or create a new admin user.

Step 2: Add the following shortcode to the post content

[neontext_box color='" onmouseover="alert(XSS)"']Click me![/neontext_box]

Step 3: Save the draft or submit for review (or publish, if you’re allowed).

Step 4: Visit the post/page in your browser. When you hover your mouse over "Click me!", an alert pops up. If an admin or visitor loads the post, the JavaScript will execute as their user.

Looking into the plugin code (approximate), you’ll find something like this

// Vulnerable PHP snippet (simplified)
function neontext_box_shortcode($atts, $content = null) {
    $color = $atts['color'];
    return '<span style="color: ' . $color . ';">' . esc_html($content) . '</span>';
}
add_shortcode('neontext_box', 'neontext_box_shortcode');

No sanitization or escaping of the $color value—so arbitrary characters (including quotes and event handlers) can sneak into the HTML output.

Remediation

- Update the plugin: At the time of writing, check Neon Text plugin on WordPress.org for patches or contact the plugin author.

References

- Wordfence Advisory: Neon Text <1.1 - Contributor+ Stored XSS via Shortcode
- CVE-2023-5817 Entry - NVD
- Neon Text plugin on WordPress.org

Conclusion

CVE-2023-5817 is a classic example of how insufficient user input protection leads to dangerous XSS capabilities, even for lower-privileged users in WordPress. Always filter and escape user inputs—especially attributes used in output HTML!

If you use Neon Text <=1.1, update or disable ASAP. Don’t give attackers the chance to turn your neon text into a security nightmare.

Timeline

Published on: 10/27/2023 11:15:13 UTC
Last modified on: 11/07/2023 21:16:59 UTC