In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

Main info:

CVECVE-2023-5237
PluginMemberlite Shortcodes
CriticalHigh
Publicly PublishedOctober 9, 2023
Last UpdatedOctober 9, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitWill be later
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5237
https://wpscan.com/vulnerability/a46d686c-6234-4aa8-a656-00a65c55d0b0
Plugin Security Certification by CleanTalk

Timeline

September 19, 2023Plugin testing and vulnerability detection in the Memberlite Shortcodes plugin have been completed
September 19, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 25, 2023The author has released a fix update
October 9, 2023Registered CVE-2023-5237

Discovery of the Vulnerability

During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.

Understanding of Stored XSS attack’s

Stored Cross-Site Scripting (XSS) is a type of security vulnerability where malicious scripts are injected into a web application and subsequently stored for later execution when accessed by other users. Although typically associated with HTTP headers, XSS can also be achieved through shortcodes. An attacker can exploit this vulnerability to insert malicious code, such as JavaScript, into a shortcode within a post.

Exploiting the Stored XSS

Exploiting the Stored XSS vulnerability in the Memberlite Shortcodes plugin involves an attacker, with contributor-level privileges, inserting malicious code within a shortcode in a new post. This code can include payloads designed to steal user data, hijack sessions, or perform actions on behalf of the compromised contributor account. Attackers can craft posts to entice users to view them, thereby triggering the execution of the malicious script.

POC shortcode:

[memberlite_banner align='” onmouseover=”alert(/XSS/)”‘ background=”primary” title=”Primary Banner”] Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla ultrices, nibh et iaculis lobortis, leo orci efficitur libero, non pharetra libero sem non lectus. Integer sit amet leo vel quam elementum scelerisque vel ac arcu. [/memberlite_banner]

This shortcode must be contained in the new post’s

The potential risks associated with CVE-2023-5237 are significant. An attacker who successfully exploits this vulnerability can:

  • Execute arbitrary code within the context of other users’ browsers.
  • Steal sensitive data like cookies or session information.
  • Gain unauthorized access to the compromised contributor’s account.
  • Impersonate contributors to perform malicious actions on the website.

In a real-world scenario, envision an attacker leveraging this vulnerability to compromise a contributor’s account on a website utilizing the Memberlite Shortcodes plugin. By embedding a malicious shortcode in a post, they can execute an XSS attack on anyone who views the manipulated content. This could result in unauthorized account access, data breaches, and damage to the website’s reputation.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2023-5237 and enhance the overall security of WordPress websites using the Memberlite Shortcodes plugin, consider the following recommendations:

  • Update the plugin: Ensure the Memberlite Shortcodes plugin is updated to the latest version, which should include a patch to address this vulnerability.
  • Input validation and sanitization: Implement rigorous input validation and data sanitization to prevent the injection of malicious code through shortcodes or other user inputs.
  • Least privilege principle: Restrict the capabilities and permissions of contributors and other user roles to minimize the potential impact of a compromised account.
  • Regular security audits: Conduct routine security audits and penetration testing to proactively identify and address vulnerabilities.
  • User awareness and education: Educate contributors and administrators about potential security threats and best practices for securely using and managing plugins and shortcodes.

By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks via shortcodes and enhance the overall security posture of their WordPress installations.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.

CVE-2023-5237 – Memberlite Shortcodes – Stored XSS via shortcode

Leave a Reply

Your email address will not be published. Required fields are marked *