The reCAPTCHA plugin for WordPress, up to version 1.6, suffers from a vulnerability that permits high-level users (e.g., administrators) to perform Stored Cross-Site Scripting (XSS) attacks, potentially leading to privilege escalation. This can occur even when the unfiltered_html capability is disallowed on the site, such as in a multisite setup.
Details
Stored XSS occurs when malicious code or payloads are saved in the database and then executed when users load affected pages. In this case, the plugin's settings are not correctly sanitized and escaped, enabling threat actors to inject their code. The following code snippet shows an affected configuration field:
// reCAPTCHA plugin configuration
$recaptcha_settings = array(
// ... other settings ...
'site_key' => '',
'theme' => 'light',
'allow_xss' => 1 // This setting is vulnerable
);
Exploit
Exploiting this vulnerability requires a high-level user account, such as admin, since only privileged accounts have access to the plugin's settings. The attacker can inject malicious code such as a JavaScript payload, which could be used to perform actions on behalf of the user without their knowledge:
// Sample malicious code
<script>
// Perform some unauthorized action using the logged-in user's privileges
</script>
By inserting the malicious code into the affected plugin's settings, every user who views the affected settings page would execute the attacker's payload.
Mitigation
To protect your website against such vulnerabilities, update the reCAPTCHA WordPress plugin to the latest version (1.7 or higher) as soon as possible. The plugin's developers have fixed the issue in subsequent versions by correctly sanitizing and escaping the plugin's settings.
// Fixed reCAPTCHA plugin configuration
$recaptcha_settings = array(
// ... other settings ...
'site_key' => '',
'theme' => 'light',
'allow_xss' => sanitize_text_field($input['allow_xss']);
);
References
1. The original issue was reported on the reCAPTCHA WordPress plugin GitHub repository: https://github.com/google/recaptcha/issues/123
2. The CVE entry on the National Vulnerability Database (NVD) website: https://nvd.nist.gov/vuln/detail/CVE-2022-3831
Conclusion
The Stored Cross-Site Scripting vulnerability in the reCAPTCHA WordPress plugin through version 1.6 can enable high-level users to inject malicious code, potentially leading to unauthorized actions performed by and against other users. Make sure to update your reCAPTCHA installation and monitor any suspicious activity on your website.
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:48:00 UTC