CVE-2022-3408: WP Word Count WordPress Plugin XSS Vulnerability - Security Advisory and Mitigation Guide

CVE-2022-3408 is a security vulnerability affecting the WP Word Count plugin for WordPress up to version 3.2.3. This plugin is intended to help you count the number of words in your WordPress posts as you write or revise them. Unfortunately, improper sanitization and escaping of some of its settings create a security risk that could potentially be exploited.

Specifically, high-privilege users such as admin can exploit this vulnerability to perform Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed in WordPress. In this long read, we'll provide details on the vulnerability, exploitation scenarios, and how to remediate and protect your WordPress site from this issue.

Vulnerability Description

The WP Word Count plugin fails to sanitize and escape some of its settings correctly, which may enable a high-privilege user like an administrator to perform XSS attacks. This is especially concerning when unfiltered_html capability is disallowed, as this would typically prevent a user from adding potentially malicious JavaScript code to a WordPress site.

The lack of proper input validation and output encoding in the plugin can lead to an authenticated stored XSS vulnerability. As an authenticated administrator, an attacker can inject malicious payload into the WP Word Count settings, resulting in potential security risks.

Exploit Details

The following code snippet demonstrates the presence of this vulnerability within the wp-word-count.php file (adapted from WP Word Count v3.2.3):

if (isset($_POST['wpwc_reading_seconds_per_word'])) {
    update_option('wpwc_reading_seconds_per_word', $_POST['wpwc_reading_seconds_per_word']);
}

// ... other options saving ...

echo '<input type="text" name="wpwc_reading_seconds_per_word" value="'.get_option('wpwc_reading_seconds_per_word').'" />

As shown above, the plugin captures user input values from the $_POST array and stores them using the update_option() function. Later, these values are directly output in the plugin's settings page without proper sanitization and escaping.

For instance, a malicious admin could enter the following payload in the "Reading Time: Seconds per Word" field:

" onload="alert(1)

This would result in a script execution whenever a user visits the settings page bearing the malicious input.

Original References

1. CVE-2022-3408 - MITRE's CVE entry for this vulnerability.
2. WP Word Count Security Release - Official plugin changelog mentioning the security-related release.

To protect your WordPress site from this vulnerability, take the following steps

1. Update your WP Word Count plugin to version 3.2.4 or later. Plugin authors have released a security update that addresses this vulnerability.
2. Limit user access: Only grant admin access to trusted individuals and limit the number of users with high-privilege roles.
3. Implement security best practices: Utilize security plugins and follow guidelines to harden your WordPress site, such as keeping all plugins and themes up-to-date.

Conclusion

As a WordPress site owner, it's crucial to stay informed about vulnerabilities like CVE-2022-3408 and ensure that your site remains secure. By keeping your plugins up-to-date and adhering to security best practices, you can help to protect your site and users from potential threats.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 17:09:00 UTC