A critical security vulnerability was recently discovered in the popular Store Locator WordPress plugin which has been designated as CVE-2023-4151. This vulnerability could potentially allow attackers to execute malicious code within the context of a high privilege user, such as an administrator, by exploiting a Reflected Cross-Site Scripting (XSS) issue. It is present in versions of the plugin prior to 1.4.13 and has since been fixed by the developers. In this post, we will delve into the technical details of this vulnerability, discuss simple examples of exploit scenarios, and provide suggestions for securing your WordPress site if you are using or considering using the Store Locator plugin.

Original References

This vulnerability was originally reported by the plugin's developer team, who promptly released a patch to address the issue. The following links provide detailed information on the vulnerability and the associated patch:

- CVE-2023-4151 - MITRE's record for this vulnerability.
- WordPress Plugin Repository - Official page for the Store Locator plugin.
- Store Locator Changelog - Changelog of the Store Locator plugin, detailing the recent change to address this vulnerability in version 1.4.13.

Vulnerability Details

The Store Locator plugin, before version 1.4.13, does not properly sanitise and escape an invalid nonce before outputting it back in an AJAX response. A nonce, or "number used once," is a security feature used to protect WordPress sites from potential cross-site request forgery (CSRF) attacks. An attacker could exploit this vulnerability by using social engineering techniques or direct manipulation of an AJAX request to trick a high privilege user into executing arbitrary JavaScript code within their browser. This could lead to a variety of malicious actions such as stealing session cookies, redirecting the user to malicious websites, or even taking control of the target user's account.

Code Snippet

The vulnerable code in question can be found within the ajax_response() function in the wp-content/plugins/store-locator/include/storelocator.php file. The function does not properly sanitise and escape the nonce before echoing it back in its AJAX response:

function ajax_response() {
    // ... Several lines of code ...
    $s_nonce = $_POST['_wpnonce'];

    // ... Several lines of code ...
    if ( ! wp_verify_nonce( $s_nonce, 'sl_ajax_response' ) ) {
        echo "Invalid nonce";
        exit;
    }

    // ... The rest of the function implementation ...
}

In this code snippet, we can see that the function first retrieves the nonce from the $_POST variable and stores it in $s_nonce. Later, the function checks if the nonce is valid by using the wp_verify_nonce() function. If the nonce is not valid, the function echos the string "Invalid nonce" back to the user. The problem is that the $s_nonce variable is neither sanitised nor escaped before being outputted, leading to the Reflected XSS vulnerability.

Exploit Example

An attacker could potentially exploit this vulnerability by crafting a malicious URL containing an XSS payload, such as:

https://example.com/wp-admin/admin-ajax.php?action=sl_update&_wpnonce=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

When a high privilege user clicks on this URL or visits this URL due to social engineering, the exploit payload would execute in their browser, potentially leading to the aforementioned malicious actions.

Securing Your WordPress Site

To protect your WordPress site from this vulnerability and potential exploit, you should take the following actions:

1. Upgrade the Store Locator plugin to version 1.4.13 or later by following the official update instructions.
2. Encourage all high privilege users on your WordPress site to employ strong security practices, such as using unique and strong passwords, enabling two-factor authentication, and being cautious of clicking on unfamiliar links or opening suspicious attachments.
3. Regularly audit and update all plugins, themes, and core WordPress files to ensure that your site remains protected from known security vulnerabilities.

Conclusion

The Store Locator WordPress plugin, before version 1.4.13, is vulnerable to a Reflected XSS exploit due to improper handling of nonces in an AJAX response. By upgrading to a patched version and encouraging strong security practices among users, you can help protect your WordPress site from this and other potential threats. If you use or are considering using the Store Locator plugin, we highly recommend taking these steps to safeguard your site and its users.

Timeline

Published on: 09/04/2023 12:15:10 UTC
Last modified on: 11/07/2023 04:22:11 UTC