Blog Cover

WordPress WP-WordPress Nested Pages Plugin – Stored Cross-Site Scripting (XSS)

Title: Responsible Vulnerability Disclosure Stored Cross-Site Scripting (XSS) CVE-2022-1990: – Stored Cross-Site Scripting (XSS) Vulnerability in WordPress Nested Pages Plugin (Affected Plugin Version Number < 3.1.21).

INTRODUCTION

WordPress is a content management system (WCM) i.e., it is a tool that organizes the whole process of creating, storing, and showcasing web content in an optimal way. WordPress started its journey as an improvement tool to enhance the regular typography of day-to-day writing. But it was taken as a blogging tool and as we reach the last quarter of this year WordPress stands strong as the most used WCM system used and that also not only in the blogging community. WordPress is completely an open-source tool and is still being updated very frequently.

eSecForte Technologies Security Researcher –Sachin Bahl found a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Nested Pages Plugin, and it has been assigned CVE-2022-1990 by the WPScan.

Description: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

 

Platform/Product: WordPress Nested Pages Plugin – Affected Plugin Version Number < 3.1.21

Vulnerability Name: Stored Cross-Site Scripting (XSS)

Affected Component:

Attack Type:

Impact:

Attackers can execute scripts in a victim’s browser to hijack user sessions, deface websites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

Recommendation:

  1. The preferred option is to properly escape all un-trusted data based on the HTML context. Include data escaping techniques in their applications.
  2. Use positive or “white-list” input validation to protect against XSS.
  3. Use HTML & URL encoding for applications that accept special characters and meta tags. Such validation should decode any encoded input, and then validate the length, characters, and format on that data before accepting the input.
  4. Client-side and server-side validation should be implemented. Server-side validation is mandatory.

Method of Exploitation

Steps to Reproduce #:-

1. Install WordPress and Go to the dashboard.

Open Word Press

2. Now go to Plugin and select Add New.

Install Plugin

3. Now Install and Activate Nested Pages Plugin.

3. Now Install and Activate Nested Pages Plugin.

4. Now go to settings > Nested Pages.

4. Now go to settings > Nested Pages.

5. “Menu Name” Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

5. “Menu Name” Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

6. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality and take mouse over “ Menu Name “ Input Field at that time JavaScript payload is executing successfully and we are getting a pop-up.

6. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality and take mouse over “ Menu Name “ Input Field at that time JavaScript payload is executing successfully and we are getting a pop-up.

[Disclosure Process]

  1. Reported the Vulnerability to the WordPress Team.
  2. Acknowledged confirmed from the Vendor that vulnerability exist.
  3. CVE has been assigned by WPScan.
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released.
  5. Vulnerability disclosed to the public.

 

[Reference]                                    

https://wpscan.com/vulnerability/42f1bf1f-95a8-41ee-a637-88deb80ab870

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1990

 

[Has vendor confirmed or acknowledged the vulnerability?]

Yes                        

                                                                                           

[Discoverer]                                                                                                      

Sachin Bahl from eSec Forte Technologies Pvt Ltd