CVE-2021-33851: Stored XSS in WordPress Plugin

Stored Cross-Site Scripting in WordPress Customize Login Image

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.

CVE IDCVE-2021-33851

CVSS v3.15.4 Medium

VendorWordPress

CWECWE-79

DisclosedDec 2, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application’s users and not the application itself while using your application as the attack’s vehicle. The XSS payload executes whenever the user opens the login page of the WordPress application..

Vendor: WordPress
Affected Product: Customize Login Image
CVE: CVE-2021-33851
Securin ID: 2021-CSW-11-1052
Status: Fixed
Date: December 2, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was discovered in Customize Login Image version 3.4.02Issue: Stored Cross-Site Scripting03Note: A virtual host (wptest.com) is used for testing the application locally.04Figure 01: Customize Login Image Plugin05Figure 02: Entering encoded XSS payload in the ‘Custom Logo Link’ field06Figure 03: Injected XSS payload is executed and displays an alert box containing the user’s cookies.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Medium

Modify the code and get the session information of other users.

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Figure 04: The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacks

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33851, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Nov 30, 2021

Discovered in `Customize Login Image version 3.4 ` Product

Dec 2, 2021

Reported to WordPress team

Dec 7, 2021

Vendor fixed the issue

Dec 7, 2021

Vendor reopened the plugin for download

Dec 10, 2021

CVE assigned

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33851

nvd.nist.gov/vuln/detail/CVE-2021-33851 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WordPress Customize Login Image

CVE IDCVE-2021-33851

CVSS v3.15.4 Medium

VendorWordPress

CWECWE-79

DisclosedDec 2, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: WordPress
Affected Product: Customize Login Image
CVE: CVE-2021-33851
Securin ID: 2021-CSW-11-1052
Status: Fixed
Date: December 2, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Medium

Modify the code and get the session information of other users.

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Figure 04: The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacks

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33851, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Nov 30, 2021

Discovered in `Customize Login Image version 3.4 ` Product

Dec 2, 2021

Reported to WordPress team

Dec 7, 2021

Vendor fixed the issue

Dec 7, 2021

Vendor reopened the plugin for download

Dec 10, 2021

CVE assigned

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33851

nvd.nist.gov/vuln/detail/CVE-2021-33851 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WordPress Customize Login Image

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Modify the code and get the session information of other users.

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in `Customize Login Image version 3.4 ` Product

Reported to WordPress team

Vendor fixed the issue

Vendor reopened the plugin for download

CVE assigned

Cite, verify, go deeper.

NVD — CVE-2021-33851

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WordPress Customize Login Image

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Modify the code and get the session information of other users.

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in `Customize Login Image version 3.4 ` Product

Reported to WordPress team

Vendor fixed the issue

Vendor reopened the plugin for download

CVE assigned

Cite, verify, go deeper.

NVD — CVE-2021-33851

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.