The Fancier Author Box plugin by ThematoSoup is a popular WordPress add-on used to display attractive author info boxes at the end of blog posts. Unfortunately, versions up to 1.4 contain a serious vulnerability (CVE-2022-3833) that puts WordPress sites at risk of Stored Cross-Site Scripting (XSS) attacks, even if an admin has disabled the powerful unfiltered_html capability.
In this post, I’ll explain how this bug works, who is at risk, show example payload code, and point you to original sources. This is an exclusive step-by-step walk-through for webmasters, security researchers, and plugin developers.
What is CVE-2022-3833?
CVE-2022-3833 is a vulnerability in the *Fancier Author Box* plugin (all versions through 1.4) which lets WordPress users with high privileges (like *admin* on multisite setups where some dangerous capabilities are locked down) inject JavaScript into the plugin settings. This code runs each time the author box displays, affecting every visitor—including admins.
Risk: Stored XSS (Code runs for all visitors)
- Who can attack: High privilege user (e.g., admin on multisite, editor if plugin’s settings are open)
How Does The Vulnerability Work?
The plugin lets privileged users configure settings like box title, bio, etc., but fails to *sanitize* or *escape* user input before saving or displaying it.
This means an attacker with plugin settings access can save a setting containing malicious HTML/JavaScript. When the box displays, the JavaScript runs—stealing cookies, hijacking sessions, defacing content, etc.
Technical Details
- Input not sanitized: Plugin settings (like author box title, social media fields) accept HTML tags and attributes.
- No escaping: When these fields are displayed, they’re rendered raw into the post/page.
Sample vulnerable code (based on public disclosures)
// settings save process (simplified)
update_option('ts_fab_author_box_title', $_POST['author_box_title']);
// settings display process
echo get_option('ts_fab_author_box_title'); // Not escaped!
Step-by-step Exploit Example
Suppose “Alice” is an admin on a WordPress multisite install, but super-admin has removed her unfiltered_html for security. She can still inject a Stored XSS payload.
Malicious payload example
<script>alert('Site Hacked!');</script>
Go to plugin’s “Fancier Author Box” settings under the WordPress dashboard.
3. Paste the code <script>alert('Site Hacked!');</script> into the “Author Box Title.”
View any post where the author box is shown.
Result: The alert box pops for every visitor, not only your account! A real attacker could, of course, do something much worse, like stealing admin cookies or manipulating author links to lure users to phishing sites.
Proof-of-Concept (PoC) screenshot
+-------------------------+
| Author Box Title |
| [<script>alert('Hacked')</script>] |
+-------------------------+
[Save]
If a visitor visits a post by that author
[Pop-up]: Hacked
Links to Original References
- WPScan advisory
- NVD entry for CVE-2022-3833
- Fancier Author Box plugin page
- Public disclosure by Patchstack
Version 1.5 fixes this bug by properly sanitizing and escaping all user inputs.
- Download latest: Fancier Author Box – WordPress.org
Conclusion
CVE-2022-3833 is a classic case of why all user input must be sanitized and escaped before outputting to a web page, even in admin-only plugin settings. Unsanitized HTML in author-related plugins is an attractive target for stored XSS, and can break site security in a multisite network.
If you run the Fancier Author Box plugin before version 1.5—or any plugin with author boxes—update now, and audit your site for possible abuse!
*For WordPress administrators everywhere: When in doubt, sanitize input and output. And always keep plugins up to date.*
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:49:00 UTC