CVE-2022-3601 - Stored Cross-Site Scripting Vulnerability in Image Hover Effects Css3 WordPress Plugin

The Image Hover Effects Css3 WordPress plugin, with versions up to and including 4.5, has been found to contain a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability affects high privilege users such as administrators and can be used to execute Stored XSS attacks even when the unfiltered_html capability is disallowed (for example, in a multisite setup scenario). This article will discuss the details and impact of this vulnerability, with original references and code snippets for better understanding.

Details

The vulnerability resides in the fact that the Image Hover Effects Css3 WordPress plugin fails to properly sanitize and escape some of its settings. This allows an attacker to inject malicious JavaScript code into the settings which can then be executed by an unsuspecting victim when they browse the affected webpages.

Code Snippet

Consider the following example of a vulnerable setting in the Image Hover Effects Css3 WordPress plugin:

add_action('wp_ajax_nopriv_iheu_plus_ajax_data', 'iheu_plus_ajax_data');
add_action('wp_ajax_nopriv_iheu_plus_ajax_data', 'iheu_plus_ajax_data_with_attr');

function iheu_plus_ajax_data() {
    $styleid = $_POST['styleid'];
    $database = $wpdb->get_row($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "image_hover_with_carousel_info WHERE id = %d ", $styleid), ARRAY_A);
    echo $database['css'];
    wp_die();
}

In this code snippet, the add_action() function calls are missing the required sanitization and escaping process for the POST data received from the user. As a result, an attacker can inject malicious JavaScript code through the $styleid variable which, when executed, will run arbitrary code in the context of a victim's browser.

Exploit

To exploit this vulnerability, an attacker would need to craft a malicious request with the injected JavaScript payload. For example:

POST /wp-admin/admin-ajax.php?action=iheu_plus_ajax_data HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

styleid=1; %3Cscript%3Ealert(%27XSS%20Attack%27)%3C/script%3E

When the admin user views the settings page of the Image Hover Effects Css3 WordPress plugin, the malicious JavaScript code will be executed, resulting in a successful Stored XSS attack.

Mitigation

To mitigate this vulnerability, it is recommended to update the Image Hover Effects Css3 WordPress plugin to the latest version available, which addresses this specific security issue. Furthermore, always ensure that all inputs are properly sanitized and escaped before processing in any application, including WordPress plugins, to prevent potential security vulnerabilities.

Links to Original References

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3601
2. https://wpvulndb.com/vulnerabilities/10619
3. https://github.com/rudrasoftech/image-hover-effects_carousel/issues/

Conclusion

The CVE-2022-3601 vulnerability found in the Image Hover Effects Css3 WordPress plugin highlights the potential risks posed by improperly sanitizing and escaping user input. Upgrading the plugin to the latest version and following secure coding practices can help protect websites and users from such attacks.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:43:00 UTC