While evaluating the plugin, we uncovered a vulnerability that permits the execution of Stored Cross-Site Scripting (XSS) on behalf of a contributor. This vulnerability is exploited by inserting a shortcode into a newly created post, potentially resulting in an account takeover.
Main info:
| CVE | CVE-2023-4795 |
| Plugin | Testimonial Slider Shortcode |
| Critical | High |
| Publicly Published | September 25, 2023 |
| Last Updated | September 25, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4795 https://wpscan.com/vulnerability/b8390b4a-b43f-4bf6-a61b-dfcbc7b2e7a0 |
| Plugin Security Certification by CleanTalk |  |
Timeline
| August 24, 2023 | Plugin testing and vulnerability detection in the Testimonial Slider Shortcode plugin have been completed |
| August 24, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 20, 2023 | The author has released a fix update |
| September 25, 2023 | Registered CVE-2023-4795 |
Discovery of the Vulnerability
During a thorough evaluation of the Testimonial Slider Shortcode plugin, a significant security vulnerability was uncovered. This vulnerability allows for the execution of Stored Cross-Site Scripting (XSS) attacks through the use of a shortcode within a new post. Intriguingly, this security loophole can be exploited by contributors and users with elevated privileges, potentially leading to unauthorized account access.
Understanding of Stored XSS attack’s
Stored Cross-Site Scripting (XSS) represents a type of security vulnerability where malicious scripts are inserted into a web application and then stored for future execution when other users interact with the affected content. In the context of this vulnerability, attackers can utilize shortcodes to store and subsequently execute malicious JavaScript code.
Exploiting the Stored XSS
Exploiting the Stored XSS vulnerability within the Testimonial Slider Shortcode plugin involves the insertion of malicious code within a shortcode by an attacker with contributor-level privileges or higher. The injected code may include payloads designed to steal user data, impersonate users, or execute actions on behalf of the compromised contributor account. Attackers can create seemingly innocuous posts that, upon viewing, trigger the execution of the malicious script.
POC shortcode:
[tss_item text=»Abelson has been an amazing firm to work with. Lorem changed the company.» name=»JOHN SAMPSON LP» link='” onmouseover=”alert(/XSS/)”‘/]
This is shortcode which you can add to new post
Despite the requirement for contributor-level privileges, CVE-2023-4795 poses substantial risks. An attacker who successfully exploits this vulnerability can:
- Execute arbitrary code within the context of other users’ browsers.
- Pilfer sensitive data such as cookies or session information.
- Gain unauthorized access to the compromised contributor’s account.
- Assume the identity of contributors to carry out nefarious actions on the website.
In a real-world scenario, envision an attacker leveraging this vulnerability to compromise a contributor’s account on a website employing the Testimonial Slider Shortcode plugin. By embedding a malicious shortcode in a seemingly harmless post, they can execute an XSS attack on anyone who views the manipulated content. This could result in unauthorized account access, data breaches, and harm to the website’s reputation.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2023-4795 and enhance the overall security of WordPress websites employing the Testimonial Slider Shortcode plugin, consider the following recommendations:
- Plugin updates: Ensure the Testimonial Slider Shortcode plugin is kept up to date, specifically to version 1.1.9 or later, which should contain a patch addressing this vulnerability.
- Input validation and sanitization: Developers should implement stringent input validation and data sanitization to prevent the injection of malicious code through shortcodes or other user inputs.
- Least privilege principle: Restrict the capabilities and permissions of contributors and other user roles to minimize the potential impact of a compromised account.
- Regular security assessments: Routinely conduct security audits and penetration testing to proactively identify and address vulnerabilities.
- User education: Educate contributors and administrators about potential security threats and best practices for securely using and managing plugins and shortcodes.
By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks and enhance the overall security posture of their WordPress installations, even for vulnerabilities that may require contributor-level privileges.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Related posts
CVE-2023-4646 – Simple Posts Ticker < 1.1.6 - Contributor + Stored XSS via shortcode
CVE-2023-4289 – WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode
CVE-2023-4798 – User Avatar – Reloaded < 1.2.2 - Contributor+ Stored XSS
CVE-2023-4035 – Simple Blog Card < 1.31 - Contributor+ Stored XSS via Shortcode
CVE-2023-4725 – Simple Posts Ticker < 1.1.6 - Admin+ Stored XSS
CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF
CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)