CVE-2023-4289 – WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

Main info:

CVE	CVE-2023-4289
Plugin	WP Matterport Shortcode
Critical	High
Publicly Published	September 25, 2023
Last Updated	September 25, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4289 https://wpscan.com/vulnerability/38c337c6-048f-4009-aef8-29c18afa6fdc
Plugin Security Certification by CleanTalk

Timeline

August 7, 2023	Plugin testing and vulnerability detection in the WP Matterport Shortcode plugin have been completed
August 7, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 20, 2023	The author has eliminated the vulnerability and patched his plugin
September 25, 2023	Registered CVE-2023-4289

Discovery of the Vulnerability

During the process of plugin testing, a vulnerability was uncovered in WP Matterport Shortcode. This vulnerability allows for the execution of Stored Cross-Site Scripting (XSS) attacks, carried out on behalf of a contributor-level user by embedding a malicious shortcode within a new post. This security flaw could potentially lead to account takeover and poses a significant threat to website security.

Understanding Cross-Site Scripting (XSS)

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an application does not properly validate user inputs and subsequently renders malicious scripts within a web page or application. In the context of this vulnerability, a contributor can inject harmful code via a shortcode that remains stored on the website server. When unsuspecting users view the compromised content, the malicious script is executed within their browsers, allowing attackers to steal sensitive information, impersonate users, or carry out other malicious actions.

Exploiting the Stored Cross-Site Scripting (XSS) vulnerability

Exploiting the Stored XSS vulnerability in WP Matterport Shortcode involves an attacker with contributor-level access inserting malicious code within a shortcode. This code could include payloads to steal user cookies, redirect users to malicious websites, or perform actions on behalf of the compromised contributor account. Attackers can craft convincing phishing attempts, compromising the security and trustworthiness of the affected website.

POC shortcode:

[matterport cols=”3″ src=”https://wordpress.org/plugins/shortcode-gallery-for-matterport-showcase/uKDy9xrMRCi,wV4vX743ATF” width=’900 ” onmouseover=”alert(12312123312)’]

This shortcode can be inserted into a new post

Potential Risks and Real-World Impact

The potential risks associated with this vulnerability are significant. An attacker could use the compromised contributor account to post malicious content or links, thereby damaging the reputation of the website. Furthermore, if the compromised contributor has higher privileges, the attacker may escalate their access to perform more malicious actions, such as deleting content or gaining administrative control.

In a real-world scenario, a contributor’s account could be taken over by an attacker who injects a rogue shortcode into a post. Unsuspecting visitors to the site may then fall victim to the XSS attack, leading to a breach of their personal data or exposure to harmful content.

1. Unauthorized Data Access:
   Attackers could exploit the XSS vulnerability to steal sensitive user data, such as login credentials or personal information.
   
2. Cookie Theft:
   Malicious scripts could hijack user cookies, leading to unauthorized access to user accounts or session hijacking. After account takeover attacker can insert malicious PHP code on page and it will be RCE.
   
3. Malicious Content Distribution:
   Attackers might use the vulnerability to inject harmful content or links into the website, potentially damaging the site’s reputation or spreading malware.

Recommendations for Improved Security

To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

• Update to the latest version:
  Website administrators should ensure that the WP Matterport Shortcode plugin is updated to the latest patched version, as the vendor may have already addressed this vulnerability.
  
• Input Validation and Escaping:
  Plugin developers must implement robust input validation and escaping mechanisms to ensure that all user-generated content, including shortcodes, is properly sanitized before rendering on the page.
  
• Regular Security Audits:
  Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  
• User Privilege Restriction:
  Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
  
• User Awareness:
  Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.
  
  

By following these recommendations, website owners can reduce the risk of XSS attacks and enhance the overall security posture of their WordPress installations.

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website