CVE-2022-3096: The WP Total Hacks WordPress Plugin Vulnerability Explained - Stored Cross-Site Scripting Attacks and Low Privilege Users

The WordPress ecosystem is known for its plugins, which provide additional functionalities and features to our websites. However, these plugins can sometimes be the source of security vulnerabilities, putting your website and its users at risk. One such vulnerability has been discovered in the WP Total Hacks WordPress plugin, assigned with the CVE identifier CVE-2022-3096. In this post, we will dive deep into the details of this vulnerability and provide code snippets, original references, and helpful links to better understand and mitigate this issue on your website.

The Vulnerability

CVE-2022-3096 affects the WP Total Hacks WordPress plugin versions up to and including 4.7.2. The plugin's vulnerability lies in its failure to prevent low-privilege users, such as subscribers, from modifying its settings. This lack of security allows malicious users to exploit the vulnerability and conduct Stored Cross-Site Scripting (XSS) attacks against other users, including website administrators. The vulnerability is also compounded by the plugin's lack of proper input sanitization and escaping, allowing attackers to inject malicious scripts into vulnerable websites.

Code Snippet

The following code snippet demonstrates the type of unsanitized input vulnerability present in the WP Total Hacks plugin:

// Example code snippet demonstrating the lack of sanitization in WP Total Hacks plugin

$wp_total_hacks_options['custom_script'] = stripslashes($_POST['custom_script']);

The vulnerability was first reported by the security researcher MD RAIHAN KHAN and later confirmed by the WordPress Security team. You can find more information about the vulnerability and its impact through the following resources:

1. Official CVE entry for CVE-2022-3096: (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3096)
2. WPScan Vulnerability Database for WordPress Plugins: (https://wpscan.com/vulnerability/5f117e82-f570-42ee-badb-e34c052c3331)

Exploit Details

Attackers can exploit CVE-2022-3096 by registering as subscribers on vulnerable websites and then injecting malicious JavaScript code into the WP Total Hacks settings. This compromised setting, when viewed or interacted by other users (especially administrators), will execute the attacker's malicious script, potentially leading to stolen sensitive information, compromised user accounts, and any other consequences resulting from XSS attacks.

Mitigating the Vulnerability

Website administrators using the WP Total Hacks plugin should immediately update their plugin to version 4.7.3 or higher. This version patches the vulnerability and resolves the security concerns that stem from CVE-2022-3096. You should also review your website's user roles and permissions, ensuring that low privilege users do not have undue access to critical settings and features.

Conclusion

It is essential to remain vigilant and informed about ongoing security vulnerabilities, particularly those that affect widely used plugins, like WP Total Hacks. By staying up-to-date with the latest security information and taking proactive measures to protect your website, you can minimize the risks associated with CVE-2022-3096 and other vulnerabilities. Prioritizing security when it comes to WordPress plugins will help you ensure the safety of your website and its users.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 14:00:00 UTC