eSec Blog

WordPress Duplicate Page and Post Plugin – Stored Cross-Site Scripting (XSS)

Title: Responsible Vulnerability Disclosure Stored Cross-Site Scripting (XSS) CVE-2022-2152: – Stored Cross-Site Scripting (XSS) Vulnerability in WordPress Duplicate Page and Post Plugin (Affected Plugin Version Number < 2.8).

INTRODUCTION

WordPress is a content management system (WCM) i.e., it is a tool that organizes the whole process of creating, storing, and showcasing web-content in an optimal way. WordPress started its journey as an improvement tool to enhance the regular typography of day-to-day writing. But it was taken as a blogging tool and as we reach the last quarter of this year WordPress stands strong as the most used WCM system used and that also not only in the blogging community. WordPress is completely an open-source tool and is still being updated very frequently.

eSecForte Technologies Security Researcher – Sachin Kumar found a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Duplicate Page and Post Plugin, and it has been assigned CVE-2022-2152 by the WPScan. 

Description: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Platform/Product: WordPress Duplicate Page and Post Plugin – Affected Plugin Version Number < 2.8

Vulnerability Name: Stored Cross-Site Scripting (XSS)

Affected Component: 

Attack Type: 

Impact

Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

Recommendation:

  1. The preferred option is to properly escape all un-trusted data based on the HTML context. Include data escaping techniques in their applications.
  2. Use positive or “white-list” input validation to protect against XSS.
  3. Use HTML & URL encoding for applications which accept special characters and meta tags. Such validation should decode any encoded input, and then validate the length, characters, and format on that data before accepting the input.
  4. Client side and server-side validation should be implemented. Server-side validation is mandatory.

Method of Exploitation

Steps to Reproduce #:-

1.Install WordPress and Go to the dashboard.

Install Wordpress and Go to the dashboard.

2. Now go to Plugin and select Add New.

Install Plugin

3.Now Install and Activate Duplicate Page and Post Plugin.

Now Install and Activate Duplicate Page and Post Plugin.

4.Now go to settings > Duplicate Post.

Now go to settings > Duplicate Post.

5.“Duplicate Post Suffix” or “Duplicate Link Text “ Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

“Duplicate Post Suffix” or “Duplicate Link Text “ Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

6.You will observe that the payload successfully got stored into the database. When you visit the Duplicate Post page again you will see that payload is executing successfully and we are getting a pop-up.

You will observe that the payload successfully got stored into the database. When you visit the Duplicate Post page again you will see that payload is executing successfully and we are getting a pop-up.

[Disclosure Process]

  1. Reported the Vulnerability to the WordPress Team.
  2. Acknowledged confirmed from the Vendor that vulnerability exist.
  3. CVE has been assigned by WPScan.
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released.
  5. Vulnerability disclosed to the public.

 

[Reference]                                    

https://wpscan.com/vulnerability/e972e2c5-0d56-4d2a-81cc-2b0dff750124

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2152

 

[Has vendor confirmed or acknowledged the vulnerability?]

Yes                        

                                                                                           

[Discoverer]                                                                                                      

Saurabh Seth from eSec Forte Technologies Pvt Ltd