CVE CyberSecurity Database News

CVE-2021-36858: Themepoints Testimonials Plugin on WordPress 2.6 (and below) suffers from Stored Cross-Site Scripting (XSS) Vulnerability for Admin+ Users

Poster -

The Themepoints Testimonials plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) attack, which affects versions up to and including 2.6. CVE-2021-36858 has been assigned to this vulnerability. This security issue requires admin or higher privilege access for exploitation. In this article, we'll discuss the details of the vulnerability, analyze the code snippet, and look at the exploit methods and potential mitigations.

Vulnerability Details

Stored Cross-Site Scripting (XSS) is a security issue where an attacker injects malicious code into a website or application, which is then rendered and executed by a victim's browser. This can lead to a range of consequences, including the theft of sensitive information, manipulation of website content, and potentially even remote code execution.

The Themepoints Testimonials plugin for WordPress is affected by this vulnerability due to the improper sanitization and validation of user input while adding new testimonials. An attacker with admin or higher privileges can exploit this flaw to execute malicious script on the site when a victim interacts with the affected content.

Following is a problematic code snippet from the plugin's function to add new testimonials

function testimonial(){
   global $wpdb;
   $title = stripslashes($_POST['title']);
   $content = stripslashes($_POST['content']);
   $author = stripslashes($_POST['author']);
   $position = stripslashes($_POST['position']);
   $rating = stripslashes($_POST['rating']);
   $status = stripslashes($_POST['status']);
   // ... other code ...
   if(isset($_POST['submit'])){
      // ... insert the data into the database ...
   }
}

In this code snippet, user input is acquired through the $_POST variables and then stored into various variables after removing any added slashes. Unfortunately, the plugin does not apply any sanitization or validation to these variables, which gives an attacker the chance to inject malicious script. The unfiltered user input is later on inserted into the database and displayed back to the visitors whenever they interact with the testimonial section.

Exploit Details

To successfully exploit the vulnerability, an attacker with admin (or higher) privileges can follow these steps:

Click on the "Add Testimonial" option.

4. Inject the malicious script of your choice into fields such as "Title," "Content," "Author," or "Position."

Save the testimonial.

The injected script will be stored in the database and executed when the affected content is viewed by any visitor (including other admins) of the site. This allows the attacker to steal sensitive information, manipulate site content, and potentially execute arbitrary code remotely.

Original References

- CVE-2021-36858 on the NVD
- Themepoints Testimonials Plugin WordPress.org Repository

To protect your WordPress site from the discussed vulnerability, follow these steps

1. Update the Themepoints Testimonials plugin to the latest version which provides a fix for the identified security issue. If no updated version is yet available, consider disabling or replacing the plugin with an alternative.

Ensure that only trusted users have access to the admin or higher level accounts on your site.

3. Implement proper input sanitization and validation whenever user input is being processed, even for admin or higher privileged users.
4. Continuously monitor your site for security updates and patches, and apply them as soon as they are available to minimize the risk of exploitation.

Conclusion

The Themepoints Testimonials plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability that allows attackers with admin or higher privileges to execute malicious scripts. This article has discussed the vulnerability in detail, analyzed the affected code snippet, and provided guidelines for exploiting and mitigating the issue. Users are urged to update the plugin to the latest available version and follow the mitigation steps provided to protect their WordPress sites from potential attacks.

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:44:00 UTC