CVE-2022-3823 - Vulnerability in Beautiful Cookie Consent Banner WordPress Plugin Allows Stored XSS Attacks

The Beautiful Cookie Consent Banner is a popular WordPress plugin that allows website owners to display a customizable cookie consent banner on their website, notifying visitors about their use of cookies according to privacy regulations such as GDPR and ePrivacy Directive. Unfortunately, a recent security vulnerability (CVE-2022-3823) has been discovered in versions before 2.9.1 of the plugin, which enables high-privilege users (such as admins) to execute Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example, in a multisite setup).

Technical Details

Stored Cross-Site Scripting (XSS) vulnerabilities typically depend on an attacker injecting malicious code into a website's content, which is subsequently executed by unsuspecting users who visit the affected page. In the case of CVE-2022-3823, the Beautiful Cookie Consent Banner plugin is vulnerable because some of its settings are not properly sanitized and escaped, leaving room for an attacker to input malicious code.

Code Snippet

// Vulnerable code in the Beautiful Cookie Consent Banner WordPress Plugin
function bccb_admin_callback() {
...
    // Payload insertion point
    $color = isset( $_POST['color'] ) ? $_POST['color'] : 'blue';
...
    // Settings array
    $settings_array = [ ... 'color' => $color ...];
...
    // Saving settings to the database
    update_option('beautiful_cookie_banner_settings', serialize($settings_array));
}

The issue stems from the handling of the $color variable above, which is used to store a selected color for the banner. Since the variable is not sanitized or escaped, an attacker can inject a payload into the $_POST array, and this payload will be stored in the plugin's settings.

To exploit this vulnerability, a high-privilege user simply needs to insert a malicious payload like <img src=x onerror=alert(1)> into the color field of the plugin's settings, which would cause the payload to execute whenever a user visits a page displaying the Cookie Consent Banner.

Mitigation and Remediation

The Beautiful Cookie Consent Banner WordPress plugin has released version 2.9.1, which addresses the XSS vulnerability. Website administrators should immediately update the plugin to the latest version to ensure that their users are protected from potential attacks.

// The developer fixed the vulnerability by sanitizing the user input with sanitize_text_field() function
$color = isset( $_POST['color'] ) ? sanitize_text_field($_POST['color']) : 'blue';

References

- Beautiful Cookie Consent Banner WordPress Plugin: https://wordpress.org/plugins/beautiful-cookie-consent-banner/
- CVE-2022-3823 Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3823
- XSS Vulnerability Explanation: https://owasp.org/www-community/attacks/xss/

Conclusion

CVE-2022-3823 is a critical security vulnerability that affects the Beautiful Cookie Consent Banner WordPress plugin, allowing high-privilege users (such as admins) to perform Stored XSS attacks. It is crucial for website administrators using this plugin to update to version 2.9.1 or later in order to protect their users from potential malicious attacks.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:46:00 UTC