CVE-2022-3828 - Vulnerability in Video Thumbnails WordPress Plugin Allows Stored Cross-Site Scripting Attacks

A recent vulnerability with the identification CVE-2022-3828 has been discovered in the popular Video Thumbnails WordPress plugin (versions up to 2.12.3). This security issue, if exploited, may allow high privilege users like administrators to perform Stored Cross-Site Scripting (XSS) attacks on the website, even when the unfiltered_html capability has been disallowed, such as in multisite setups. In this long read, we will dive deep into the technical details of the vulnerability, demonstrate how it can be exploited, and provide guidance on mitigation steps.

Technical Details

The Video Thumbnails plugin is designed to automatically retrieve video thumbnails from various video hosting platforms and use them as featured images for associated posts in WordPress. The vulnerability in question (CVE-2022-3828) is due to a lack of proper sanitization and output escaping in certain plugin settings.

What this means is that an attacker with high-level privileges (e.g., administrator) can inject malicious JavaScript code as a plugin setting. When another user (even with lower privileges) accesses a page containing this setting, the malicious code gets executed in the user's browser, leading to a Stored XSS attack.

Proof of Concept (PoC)

To demonstrate the potential exploit in action, let's take a look at an example. In the Video Thumbnails' settings page, an attacker with admin privileges can inject a malicious script into the 'custom selector' field under the 'advanced settings.'

<script>alert('Malicious script executed!')</script>

Upon saving this setting, the malicious script is stored in the WordPress database. If another user (admin or not) navigates to a page that uses the 'custom selector' field value, the script will automatically execute in their browser.

From this point, an attacker could craft a potential XSS payload to steal sensitive information, modify the appearance of the website or further escalate their privileges.

Original References

The vulnerability was reported to the WordPress plugin team and responsibly disclosed by the researcher. The detailed advisory with all the technical information about the vulnerability can be found at the Common Vulnerabilities and Exposures (CVE) database:

- CVE-2022-3828 - Video Thumbnails WordPress Plugin Vulnerability

Additionally, more information about this security issue can be found on the WordPress plugin repository:

- Video Thumbnails - Plugin Homepage
- Video Thumbnails - Changelog (mentioning the fix for this vulnerability)

Mitigation Steps

If you are using the Video Thumbnails WordPress plugin, it is highly recommended to update to the latest version (2.12.4 or later), as it addresses this specific vulnerability. You can easily update the plugin through the WordPress admin dashboard or manually download the updated version from the plugin homepage.

As a prudent measure, you should also review your website's user accounts and ensure that only trusted users have high privilege roles like administrator or editor.

Conclusion

The CVE-2022-3828 security vulnerability in the Video Thumbnails WordPress plugin serves as a stark reminder to always keep your plugins up-to-date and to be cautious about who has access to high-level privileges on your site. By taking prompt action and following the recommended mitigation steps, you can significantly reduce the risk of falling victim to Stored XSS attacks via this vulnerability.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:48:00 UTC