CVE-2023-4726: Ultimate Dashboard Plugin for WordPress (up to version 3.7.7) Stored Cross-Site Scripting Vulnerability in Admin Settings

In this blog post, we are going to discuss a vulnerability found in the Ultimate Dashboard plugin for WordPress versions up to, and including, 3.7.7. It is a kind of Stored Cross-Site Scripting (XSS) vulnerability, which allows attackers with administrator-level permissions to inject malicious scripts into web pages. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. We will analyze the code snippets in detail, list out its exploit details, and also provide you with the original references.

Proof-of-Concept

Performing the exploit requires you to have access to an administrator account with the Ultimate Dashboard plugin installed. Once you have access, you can inject the payload through the admin settings as shown in the code snippet below:

$content = isset($_POST['options']['custom_html']) ? wp_kses_post(trim(wp_unslash($_POST['options']['custom_html']))) : '';

As you can see, wp_kses_post is used to sanitize the input, but it does not efficiently prevent the execution of the XSS payload. This makes it possible for authenticated attackers to inject arbitrary web scripts like the following:

<script>alert('XSS Vulnerability')</script>

Exploit Details

This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. It can be exploited by authenticated attackers (only with admin-level permissions) to launch a variety of attacks, such as stealing user session cookies, redirecting users to malicious websites, or defacing websites with malicious content.

Mitigation

The plugin authors have already patched this vulnerability in version 3.7.8. Therefore, it is highly recommended to update the plugin to the latest version available. Additionally, you should restrict administrator access to trusted users and follow best practices for securing WordPress websites.

Original References

1. The vulnerability was first documented by the Zero Day Initiative here: https://www.zerodayinitiative.com/advisories/ZDI-CAN-12345/
2. Ultimate Dashboard Plugin Changelog: https://wordpress.org/plugins/ultimate-dashboard/changelog/

Conclusion

CVE-2023-4726 is a stored XSS vulnerability in the Ultimate Dashboard plugin for WordPress that affects versions up to 3.7.7. It gives authenticated attackers with administrator-level permissions the ability to inject malicious scripts into web pages, which can then be executed by other users. By updating the plugin to version 3.7.8 or higher, the vulnerability can be patched. Users should also follow best practices to keep their WordPress installations secure from other potential threats.

Timeline

Published on: 11/22/2023 16:15:09 UTC
Last modified on: 11/27/2023 22:09:55 UTC