Headline
CVE-2023-5237: CVE-2023-5237 - Memberlite Shortcodes - Stored XSS via shortcode - Use only certified WordPress plugins for your website
The Memberlite Shortcodes WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.
In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover
****Main info:****
CVE
CVE-2023-5237
Plugin
Memberlite Shortcodes
Critical
High
Publicly Published
October 9, 2023
Last Updated
October 9, 2023
Researcher
Dmtirii Ignatyev
OWASP TOP-10
A7: Cross-Site Scripting (XSS)
PoC
Yes
Exploit
Will be later
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5237
https://wpscan.com/vulnerability/a46d686c-6234-4aa8-a656-00a65c55d0b0
Plugin Security Certification by CleanTalk
****Timeline****
September 19, 2023
Plugin testing and vulnerability detection in the Memberlite Shortcodes plugin have been completed
September 19, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 25, 2023
The author has released a fix update
October 9, 2023
Registered CVE-2023-5237
****Discovery of the Vulnerability****
During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.
****Understanding of Stored XSS attack’s****
Stored Cross-Site Scripting (XSS) is a type of security vulnerability where malicious scripts are injected into a web application and subsequently stored for later execution when accessed by other users. Although typically associated with HTTP headers, XSS can also be achieved through shortcodes. An attacker can exploit this vulnerability to insert malicious code, such as JavaScript, into a shortcode within a post.
****Exploiting the Stored XSS****
Exploiting the Stored XSS vulnerability in the Memberlite Shortcodes plugin involves an attacker, with contributor-level privileges, inserting malicious code within a shortcode in a new post. This code can include payloads designed to steal user data, hijack sessions, or perform actions on behalf of the compromised contributor account. Attackers can craft posts to entice users to view them, thereby triggering the execution of the malicious script.
POC shortcode:
[memberlite_banner align=’” onmouseover=”alert(/XSS/)”‘ background=”primary” title=”Primary Banner”] Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla ultrices, nibh et iaculis lobortis, leo orci efficitur libero, non pharetra libero sem non lectus. Integer sit amet leo vel quam elementum scelerisque vel ac arcu. [/memberlite_banner]
This shortcode must be contained in the new post’s
The potential risks associated with CVE-2023-5237 are significant. An attacker who successfully exploits this vulnerability can:
- Execute arbitrary code within the context of other users’ browsers.
- Steal sensitive data like cookies or session information.
- Gain unauthorized access to the compromised contributor’s account.
- Impersonate contributors to perform malicious actions on the website.
In a real-world scenario, envision an attacker leveraging this vulnerability to compromise a contributor’s account on a website utilizing the Memberlite Shortcodes plugin. By embedding a malicious shortcode in a post, they can execute an XSS attack on anyone who views the manipulated content. This could result in unauthorized account access, data breaches, and damage to the website’s reputation.
******Recommendations for Improved Security******
To mitigate the risks posed by CVE-2023-5237 and enhance the overall security of WordPress websites using the Memberlite Shortcodes plugin, consider the following recommendations:
- Update the plugin: Ensure the Memberlite Shortcodes plugin is updated to the latest version, which should include a patch to address this vulnerability.
- Input validation and sanitization: Implement rigorous input validation and data sanitization to prevent the injection of malicious code through shortcodes or other user inputs.
- Least privilege principle: Restrict the capabilities and permissions of contributors and other user roles to minimize the potential impact of a compromised account.
- Regular security audits: Conduct routine security audits and penetration testing to proactively identify and address vulnerabilities.
- User awareness and education: Educate contributors and administrators about potential security threats and best practices for securely using and managing plugins and shortcodes.
By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks via shortcodes and enhance the overall security posture of their WordPress installations.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.