During the evaluation of the Medialist plugin, security researchers discovered a critical vulnerability enabling Stored Cross-Site Scripting (XSS) attacks. This vulnerability allows contributors to embed malicious JavaScript code into new posts using a specific shortcode, leading to potential account takeover and other malicious activities.
Main info:
| CVE | CVE-2023-5942 |
| Plugin | Medialist < 1.4.1 |
| Critical | High |
| All Time | 6 205 |
| Active installations | 800+ |
| Publicly Published | January 1, 2024 |
| Last Updated | January 1, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5942 https://wpscan.com/vulnerability/914559e1-eed5-4a69-8371-a48055835453/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| September 27, 2023 | Plugin testing and vulnerability detection in the Media List plugin have been completed |
| September 27, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 15, 2023 | The author fixed the vulnerability and released the plugin update |
| January 1, 2024 | Registered CVE-2023-5942 |
Discovery of the Vulnerability
In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when user-supplied data is stored on a website’s server and later displayed to other users without proper sanitization. In WordPress, plugins often process user input to generate dynamic content such as posts or comments. Attackers can exploit this functionality by injecting malicious JavaScript code into posts or comments, which is then executed when other users view the affected content.
For example, in the Medialist plugin, the vulnerable shortcode allows contributors to embed media content into posts. By injecting JavaScript code into the shortcode attributes, an attacker can trigger arbitrary actions when unsuspecting users view the compromised content.
Exploiting the Stored XSS Vulnerability
To exploit the vulnerability, an attacker would craft a malicious post containing the vulnerable shortcode with embedded JavaScript code. This code would execute when the post is viewed by other users, potentially leading to account takeover or other malicious activities.
POC request:
[medialist style='” onmouseover=”alert(/XSS/)”‘ rml_folder=/var/www/html/wordpress globalitems=1 ]
___
The impact of this vulnerability is severe, as it allows attackers to compromise the integrity and security of WordPress websites. In real-world scenarios, an attacker could exploit this vulnerability to steal sensitive user data, spread malware, deface websites, or perform other malicious actions.
Recommendations for Improved Security
- To mitigate the risk posed by Stored XSS vulnerabilities, developers should implement proper input validation and output sanitization techniques in their plugins. WordPress administrators should also keep their plugins up to date and monitor for security advisories from plugin developers. Additionally, users should exercise caution when interacting with user-generated content on websites and install security plugins that offer protection against XSS attacks.
Stay informed about security vulnerabilities and best practices by subscribing to security mailing lists, following security blogs, and participating in relevant forums or communities.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
