CVE-2023-5946 - Critical Reflected XSS in Digirisk WordPress Plugin – Breakdown, Exploit, and How to Stay Safe

If you’re running a WordPress site and use the Digirisk plugin, you need to pay attention to this: CVE-2023-5946 is a real and present threat. This vulnerability lets attackers inject malicious scripts into your site using one messed up parameter, and it doesn’t even require them to log in. Here’s everything you need to know, explained for everyday site owners, with actual code examples and mitigation tips.

What is CVE-2023-5946?

Digirisk is a popular WordPress plugin designed for risk assessment. Up until version 6..., Digirisk didn’t properly sanitize or escape user-supplied input in its handling of the current_group_id parameter. This creates a Reflected Cross-Site Scripting (XSS) vulnerability.

Basically, a hacker can craft a special link that includes JavaScript. If an unsuspecting user clicks that link, malicious code will run in the user’s browser. This can lead to data theft, account compromise, or your users being tricked by fake forms.

Technical Details

Attackers target a page that uses the current_group_id parameter. Digirisk doesn’t properly filter what’s in that field before putting it into web pages.

Here’s an example of a malicious link an attacker could send

https://yoursite.com/wp-admin/admin.php?page=digirisk_dashboard&current_group_id=<script>alert('XSS')</script>;

If a logged-in admin clicks this link, the JavaScript inside the <script> tags runs—showing a popup as a simple Proof of Concept, but in reality, much worse things can be done.

Vulnerable Code Example

Suppose the vulnerable code looks something like this in Digirisk’s source (simplified for illustration):

// Dangerous: Directly outputting unsanitized user input
$current_group_id = $_GET['current_group_id'];
echo '<div id="group">'. $current_group_id .'</div>';

If this is how the plugin handles the parameter, then whatever content the attacker puts into current_group_id gets inserted straight into the HTML, and any script tags will run.

The link contains malicious JavaScript in the current_group_id.

3. If the targeted user is logged in and clicks the link, the code runs in their browser. The attacker can:

Let’s look at a more advanced payload

https://example.com/wp-admin/admin.php?page=digirisk_dashboard&current_group_id=%3Cimg%20src=x%20onerror=alert(%27Hacked!%27)%3E

This code uses the image tag and triggers when loading fails. It pops up “Hacked!” as proof, but real attackers can replace that with fetch calls to steal info.

Original References

- WPScan Advisory: CVE-2023-5946
- NVD Entry - CVE-2023-5946
- WordPress Plugin Page - Digirisk

`php

// Safer way
$current_group_id = isset($_GET['current_group_id']) ? sanitize_text_field($_GET['current_group_id']) : '';
echo '

'. esc_html($current_group_id) .'';

Conclusion

CVE-2023-5946 is a classic reflected XSS, but the consequences can be devastating if you ignore it. Luckily, it’s easy to fix—just update your Digirisk plugin! Keep an eye on your site’s security, be skeptical of strange links, and make sure your users are aware of these basic precautions.

If you want to read even more, check out the official advisories on WPScan and the CVE database entry.

Timeline

Published on: 11/03/2023 14:15:08 UTC
Last modified on: 11/13/2023 17:43:39 UTC