The WordPress + Microsoft Office 365 / Azure AD | LOGIN plugin for WordPress, a popular plugin for integrating Office 365 / Azure AD login functionality into WordPress sites, is vulnerable to Stored Cross-Site Scripting (XSS) attacks. The vulnerability is present in all versions up to, and including, 27.2, and attackers with contributor-level access and above can exploit it to inject arbitrary web scripts into pages. When a user accesses an injected page, the malicious script can execute, potentially compromising the user's information and giving the attacker more control over the WordPress site.
Plugin Vulnerability Details
The vulnerability lies in the 'pintra' shortcode that the plugin uses, which is vulnerable due to insufficient input sanitization and output escaping on user-supplied attributes. This lack of sanitization and escaping allows authenticated attackers to inject arbitrary web scripts into pages by manipulating the plugin's settings.
The vulnerability can be exploited by injecting malicious code in the 'pintra' shortcode as follows
[pintra key="<img src=x onerror=alert(1)>"...other parameters...]
When a user accesses the page containing this shortcode, the embedded JavaScript alert(1) will execute, demonstrating that an attacker can inject arbitrary code into the plugin's shortcode.
Locate the plugin's settings panel and find the 'pintra' shortcode settings.
3. Inject a malicious script into one of the plugin's settings, such as the 'key' attribute shown in the code snippet above.
To mitigate the risk posed by this vulnerability, WordPress site administrators should
1. Update the WordPress + Microsoft Office 365 / Azure AD | LOGIN plugin to version 27.3 or later. The updated versions have addressed this XSS vulnerability by properly sanitizing and escaping user-supplied input and output in the plugin's shortcodes.
2. Ensure that user accounts with contributor-level access and above are only given to trusted individuals, as they have the capability to exploit this vulnerability.
3. Regularly monitor the site for any evidence of XSS attacks, such as suspicious page content or unexpected JavaScript execution.
Original References
The vulnerability was first reported and documented by the research team at Wordfence, a popular security plugin for WordPress. For a complete analysis of the vulnerability and the risks it poses, please consult Wordfence's blog post detailing the issue:
- Wordfence: Stored XSS Vulnerability in WordPress + Microsoft Office 365 / Azure AD | LOGIN
Conclusion
The Stored XSS vulnerability in the WordPress + Microsoft Office 365 / Azure AD | LOGIN plugin is a serious issue that can be exploited by attackers to compromise WordPress sites and the information of their users. Site administrators should take the necessary steps to update the plugin, restrict access to user accounts, and monitor site activity to minimize the risk of exploitation.
Timeline
Published on: 05/23/2024 08:15:08 UTC
Last modified on: 08/01/2024 20:47:41 UTC