Cyber Security Works has discovered a new zero-day (Stored Cross-Site Scripting) vulnerability, CVE-2021-33851 in WordPress Customize Login Image. Customize Login Image is a plugin that allows users to customize the image and the appearance of the WordPress Login Screen.
Stored Cross-Site Scripting (also known as second-order or persistent XSS) occurs when an application acquires data from an untrusted source and incorporates that data in an unsafe manner in subsequent HTTP replies.
This vulnerability has been assigned a CWE of CWE-79, which results in Improper Neutralization of Input during Web Page Generation. It is worth noting that CWE-79 is featured in the OWASP Top 10:2021 under A03:2021 (Injection) and is ranked second in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
The following vulnerability was discovered in Customize Login Image version 3.4.
Issue: Stored Cross-Site Scripting
Login to the WordPress application.
Note: A virtual host (wptest.com) is used for testing the application locally.
Install the Customize Login Image Plugin.
Go to the ‘Settings’ menu and click on the ‘Customize Login Image’ drop list.
Figure 01: Customize Login Image Plugin
Enter the payload – <script>alert(document.cookie)</script> in the ‘Custom Logo Link’ field (cli_logo_url parameter).
Figure 02: Entering encoded XSS payload in the ‘Custom Logo Link’ field
Click on the ‘Save Changes’ button
Go to the WordPress login page at /wp-login.php .
Figure 03: Injected XSS payload is executed and displays an alert box containing the user’s cookies.
An attacker can perform the following:
Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.
Modify the code and get the session information of other users.
Compromise the user machine.
Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.
Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.
Explicitly set the character set encoding for each page generated by the webserver.
Encode dynamic output elements and filter specific characters in dynamic elements.
Figure 04: The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacks
Contribution Credits: Gautham Sriram