In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover
Main info:
| CVE | CVE-2023-5237 |
| Plugin | Memberlite Shortcodes |
| Critical | High |
| Publicly Published | October 9, 2023 |
| Last Updated | October 9, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5237 https://wpscan.com/vulnerability/a46d686c-6234-4aa8-a656-00a65c55d0b0 |
| Plugin Security Certification by CleanTalk |  |
Timeline
| September 19, 2023 | Plugin testing and vulnerability detection in the Memberlite Shortcodes plugin have been completed |
| September 19, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 25, 2023 | The author has released a fix update |
| October 9, 2023 | Registered CVE-2023-5237 |
Discovery of the Vulnerability
During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.
Understanding of Stored XSS attack’s
Stored Cross-Site Scripting (XSS) is a type of security vulnerability where malicious scripts are injected into a web application and subsequently stored for later execution when accessed by other users. Although typically associated with HTTP headers, XSS can also be achieved through shortcodes. An attacker can exploit this vulnerability to insert malicious code, such as JavaScript, into a shortcode within a post.
Exploiting the Stored XSS
Exploiting the Stored XSS vulnerability in the Memberlite Shortcodes plugin involves an attacker, with contributor-level privileges, inserting malicious code within a shortcode in a new post. This code can include payloads designed to steal user data, hijack sessions, or perform actions on behalf of the compromised contributor account. Attackers can craft posts to entice users to view them, thereby triggering the execution of the malicious script.
POC shortcode:
[memberlite_banner align='” onmouseover=”alert(/XSS/)”‘ background=”primary” title=”Primary Banner”] Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla ultrices, nibh et iaculis lobortis, leo orci efficitur libero, non pharetra libero sem non lectus. Integer sit amet leo vel quam elementum scelerisque vel ac arcu. [/memberlite_banner]
This shortcode must be contained in the new post’s
The potential risks associated with CVE-2023-5237 are significant. An attacker who successfully exploits this vulnerability can:
- Execute arbitrary code within the context of other users’ browsers.
- Steal sensitive data like cookies or session information.
- Gain unauthorized access to the compromised contributor’s account.
- Impersonate contributors to perform malicious actions on the website.
In a real-world scenario, envision an attacker leveraging this vulnerability to compromise a contributor’s account on a website utilizing the Memberlite Shortcodes plugin. By embedding a malicious shortcode in a post, they can execute an XSS attack on anyone who views the manipulated content. This could result in unauthorized account access, data breaches, and damage to the website’s reputation.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2023-5237 and enhance the overall security of WordPress websites using the Memberlite Shortcodes plugin, consider the following recommendations:
- Update the plugin: Ensure the Memberlite Shortcodes plugin is updated to the latest version, which should include a patch to address this vulnerability.
- Input validation and sanitization: Implement rigorous input validation and data sanitization to prevent the injection of malicious code through shortcodes or other user inputs.
- Least privilege principle: Restrict the capabilities and permissions of contributors and other user roles to minimize the potential impact of a compromised account.
- Regular security audits: Conduct routine security audits and penetration testing to proactively identify and address vulnerabilities.
- User awareness and education: Educate contributors and administrators about potential security threats and best practices for securely using and managing plugins and shortcodes.
By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks via shortcodes and enhance the overall security posture of their WordPress installations.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
