Stored-Cross-Site-Scripting-XSS

WordPress Page Generator Plugin – Stored Cross-Site Scripting (XSS)

Title: Responsible Vulnerability Disclosure Stored Cross-Site Scripting (XSS) CVE-2022-2100: – Stored Cross-Site Scripting (XSS) Vulnerability in WordPress Page Generator Plugin (Affected Plugin Version Number < 1.6.5).

INTRODUCTION

WordPress is a content management system (WCM) i.e., it is a tool that organizes the whole process of creating, storing, and showcasing web-content in an optimal way. WordPress started its journey as an improvement tool to enhance the regular typography of day-to-day writing. But it was taken as a blogging tool and as we reach the last quarter of this year WordPress stands strong as the most used WCM system used and that also not only in the blogging community. WordPress is completely an open-source tool and is still being updated very frequently.

eSecForte Technologies Security Researcher – Sachin Bahl found a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Page Generator Plugin, and it has been assigned CVE-2022-2100 by the WPScan. 

Description: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Platform/Product: WordPress Page Generator Plugin – Affected Plugin Version Number < 1.6.5

Vulnerability Name: Stored Cross-Site Scripting (XSS)

Affected Component: 

Attack Type: 

Impact

Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

Recommendation:

  1. The preferred option is to properly escape all un-trusted data based on the HTML context. Include data escaping techniques in their applications.
  2. Use positive or “white-list” input validation to protect against XSS.
  3. Use HTML & URL encoding for applications which accept special characters and meta tags. Such validation should decode any encoded input, and then validate the length, characters, and format on that data before accepting the input.
  4. Client side and server-side validation should be implemented. Server-side validation is mandatory.

Method of Exploitation

Steps to Reproduce #:-

1.Install WordPress and Go to the dashboard.

Install Wordpress and Go to the dashboard.

2. Now go to Plugin and select Add New.

Install Plugin

3.Now Install and Activate Page Generator Plugin.

Now Install and Activate Page Generator Plugin.

4. Now go to settings > Page Generator.

Now go to settings > Page Generator.

5.“Terms” Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

“Terms” Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

6.You will observe that the payload successfully got stored into the database. When you visit the page generator page again you will see that payload is executing successfully and we are getting a pop-up.

You will observe that the payload successfully got stored into the database. When you visit the page generator page again you will see that payload is executing successfully and we are getting a pop-up.

[Disclosure Process]

  1. Reported the Vulnerability to the WordPress Team.
  2. Acknowledged confirmed from the Vendor that vulnerability exist.
  3. CVE has been assigned by WPScan.
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released.
  5. Vulnerability disclosed to the public.

 

[Reference]                                    

https://wpscan.com/vulnerability/7d8b7871-baa5-4a54-a9e9-2c9d302cdd12

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2100

 

[Has vendor confirmed or acknowledged the vulnerability?]

Yes                        

                                                                                           

[Discoverer]                                                                                                      

Saurabh Seth from eSec Forte Technologies Pvt Ltd