Post-Authenticate Stored XSS in Wordpress Plugin Similar Posts

NetbyteSEC Security Advisory - Post-Authenticate Stored XSS in Wordpress Plugin Similar Posts 


Title: Post-Authenticate Stored XSS in Wordpress Plugin Similar Posts
Advisory ID: NBS-2023-0002
Product: Similar Posts
Vulnerable Version: prior to 3.1.6
CVE ID: CVE-2022-41612
Date of Discovery: Oct 16th 2022
Author: Baharuddin Zulkifli | NetbyteSEC
 

Product Description

Similar Posts displays a list of posts that are similar or related to the current posts. The list can be customized in many ways. Similarity is judged according to a post’s title, content, and tags and you can adjust the balance of factors to fit your own site.
 
Source: https://wordpress.org/plugins/similar-posts/

Vulnerability

1) Stored Cross Site Scripting (XSS) 

CVE-ID: CVE-2022-41612
Risk: Medium
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Improper sanitization on user inputs field tag_str, custom-key, and custom-value in Similar Posts plugins allow users to execute malicious javascript code which leads to Stored XSS vulnerability

Proof of Concept

Figure 1: POST request

The figure above shows the POST request body on the parameter custom-key was injected with XSS payload which become a security vulnerability and triggers an alert displaying the domain of the website.

Vulnerable Source Code

[...] 
<td style="border-bottom-width: 0"><input name="custom-key" type="text" id="custom-key" value="<?php echo $custom['key']; ?>" size="20" /></td>
[...]

This snippet of code shows the creating of an input field and the entered data will be accessed using its name attribute in the server-side script. In this case, the value attribute is taken from PHP variable custom['key']
 

Solution (Source Code)

Implement PHP htmlspecialchars function when displaying any user-generated data to the user

[...]
<td style="border-bottom-width: 0"><input name="custom-key" type="text" id="custom-key" value="<?php echo htmlspecialchars($custom['key'], ENT_QUOTES); ?>" size="20" /></td> 
[...]
 
The htmlspecialchars function converts special characters to their corresponding HTML entities, preventing them from being interpreted as HTML or JavaScript code by the browser. The ENT_QUOTES flag is used to encode both single and double quotes
 

Timeline

2022-10-16: Discover and submit report on platform https://patchstack.com
2022-10-17: Patchstack validate the report and contact vendor for patching
2022-10-19: Patchstack assign CVE-ID and asking for security patch from the researcher
2023-02-03: Publicly published the report


NetByteSEC Sdn Bhd
===================
NetbyteSEC Sdn Bhd was incorporated under the Malaysian Companies Act 1965 in 2013.
NetbyteSEC is privately owned and is based in Cyberjaya, Selangor, Malaysia.
More information about NetbyteSEC Sdn Bhd can be found at:
https://www.netbytesec.com