Securin Discovers a Stored Cross-Site Scripting Vulnerability in WordPress Customize Login Image

Cyber Security Works has discovered a new zero-day (Stored Cross-Site Scripting) vulnerability, CVE-2021-33851 in WordPress Customize Login Image. Customize Login Image is a plugin that allows users to customize the image and the appearance of the WordPress Login Screen.

Description

Customize Login Image version 3.4 is vulnerable to Cross-Site Scripting (XSS) attacks that can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The XSS payload executes whenever the user opens the login page of the WordPress application.

This vulnerability has been assigned a CWE of CWE-79, which results in Improper Neutralization of Input during Web Page Generation. It is worth noting that CWE-79 is featured in the OWASP Top 10:2021 under A03:2021 (Injection) and is ranked second in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Proof-of-Concept

The following vulnerability was discovered in Customize Login Image version 3.4.

Issue: Stored Cross-Site Scripting

Note: A virtual host (wptest.com) is used for testing the application locally.

Install the Customize Login Image Plugin.
Go to the ‘Settings’ menu and click on the ‘Customize Login Image’ drop list.
Enter the payload – <script>alert(document.cookie)</script> in the ‘Custom Logo Link’ field (cli_logo_url parameter).
Click on the ‘Save Changes’ button
Go to the WordPress login page at /wp-login.php .
ImpactAn attacker can perform the following:RemediationFigure 04: The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacksTimelineContribution Credits: Gautham Sriram