CVE-2023-25042 - Stored Cross-Site Scripting (XSS) Vulnerability in the Twitter Feed for Developers Plugin for Admin+ Users
Today, we'll be discussing the CVE-2023-25042 vulnerability, which is a critical stored cross-site scripting (XSS) vulnerability. This vulnerability affects versions 2.3. and below of the Liam Gladdy (Storm Consultancy) oAuth Twitter Feed for Developers plugin. The vulnerability allows authenticated users with admin or higher privileges to inject malicious JavaScript code into the plugin settings, leading to XSS attacks.
Exploit Details
The XSS vulnerability stems from the improper sanitization of input data by the impacted Twitter Feed for Developers plugin. When an authenticated user with administrative privileges adds a new script, the plugin fails to properly sanitize the input data before saving it. Consequently, an attacker can inject JavaScript code, leading to a stored XSS vulnerability. The injected code is then executed by the web browser, granting the attacker control over the admin session.
To better understand the issue, let's take a look at this code snippet
// In /includes/admin.php
if (isset($_POST['info-update'])) {
$wpdb->query("UPDATE wp_options SET option_value = '{$_POST['settings']}'
WHERE option_name = 'jm-tc-settings'");
$settings->setSettings('/* <![CDATA[ */ ' . $_POST['settings'] . ' /* ]]> */');
}
As we can see, the plugin fails to sanitize the POST variable 'settings' before passing it to the MySQL query. This allows the insertion of arbitrary JavaScript code, leading to a stored XSS vulnerability.
Proof of Concept
An attacker can exploit this vulnerability by injecting malicious JavaScript code into the plugin's settings. Here's an example:
1. Log in as an administrator or privileged user.
2. Access the plugin setting page.
3. Enter the following code into the relevant input field:
<script>alert('XSS');</script>
4. Save the changes.
Now, when other authorized users visit the plugin settings page, the malicious code will execute in their browser, allowing the attacker to control their session.
Mitigation and Recommendation
It is essential to update the plugin to the latest version (2.3.1 or newer) as soon as possible to fix the vulnerability. This patch resolved the issue by sanitizing input data before saving settings.
Additionally, it is good practice to ensure that users only have the minimum necessary permissions to avoid unnecessary risks. For example, do not grant administrative privileges to users who do not need them.
Summary
In conclusion, the CVE-2023-25042 vulnerability poses a severe threat to web applications using the Liam Gladdy (Storm Consultancy) oAuth Twitter Feed for Developers plugin with version 2.3. and below. Advanced users can exploit this vulnerability and execute malicious JavaScript code to compromise admin sessions. It is crucial to update the plugin to the latest version and review user privileges to maintain a secure environment.
Here are some links to the original references
1. Official Disclosure by Liam Gladdy (Storm Consultancy)
2. CVE-2023-25042 Entry on the National Vulnerability Database (NVD)
3. Patch Notes for Twitter Feed for Developers plugin version 2.3.1
Timeline
Published on: 09/01/2023 11:15:00 UTC
Last modified on: 09/01/2023 20:47:00 UTC