CVE-2021-33852: Stored XSS in WordPress Post Duplicator

Stored Cross – Site Scripting in WordPress (Post Duplicator Plugin – 2.23)

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.

CVE IDCVE-2021-33852

CVSS v3.15.4 Medium

VendorWordPress

CWECWE-79

DisclosedDec 2, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. The XSS payload executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.

Vendor: WordPress
Affected Product: Post-Duplicator Plugin 2.23
CVE: CVE-2021-33852
Securin ID: 2021-CSW-12-1053
Status: Fixed
Date: December 2, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was discovered in Post-Duplicator Plugin 2.23.02Issue: Stored Cross-Site Scripting03Note: Here, localhost has been used for testing the application locally.04Figure 01: Post Duplicator Settings Page05Figure 02: Entering XSS payload in the ‘Duplicate Title’ field06Figure 03: Entering XSS payload in the ‘Duplicate Slug’ field07Figure 04: Injected XSS payload is executed displaying an alert box with the contents of the user’s cookies.08Figure 05: Duplicate the “Hello world!” post09Figure 06: Duplicated post with XSS Payload10Figure 07: Injected XSS payload is executed displaying an alert box with the contents of the user’s cookies.11Figure 08: The default cross-site scripting mitigation setting in wp.config file to prevent cross-site scripting attacks

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.

Medium

Modify the code and get the session information of other users

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33852, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Dec 28, 2021

Discovered in `Post Duplicator Plugin – 2.23` Product

Dec 29, 2021

Reported to WordPress team

Dec 31, 2021

Vendor fixed the issue

Dec 31, 2021

CSW assigned the CVE Identifier (CVE-2021-33852)

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33852

nvd.nist.gov/vuln/detail/CVE-2021-33852 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross – Site Scripting in WordPress (Post Duplicator Plugin – 2.23)

CVE IDCVE-2021-33852

CVSS v3.15.4 Medium

VendorWordPress

CWECWE-79

DisclosedDec 2, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: WordPress
Affected Product: Post-Duplicator Plugin 2.23
CVE: CVE-2021-33852
Securin ID: 2021-CSW-12-1053
Status: Fixed
Date: December 2, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.

Medium

Modify the code and get the session information of other users

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33852, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Dec 28, 2021

Discovered in `Post Duplicator Plugin – 2.23` Product

Dec 29, 2021

Reported to WordPress team

Dec 31, 2021

Vendor fixed the issue

Dec 31, 2021

CSW assigned the CVE Identifier (CVE-2021-33852)

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33852

nvd.nist.gov/vuln/detail/CVE-2021-33852 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross – Site Scripting in WordPress (Post Duplicator Plugin – 2.23)

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.

Modify the code and get the session information of other users

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in `Post Duplicator Plugin – 2.23` Product

Reported to WordPress team

Vendor fixed the issue

CSW assigned the CVE Identifier (CVE-2021-33852)

Cite, verify, go deeper.

NVD — CVE-2021-33852

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross – Site Scripting in WordPress (Post Duplicator Plugin – 2.23)

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.

Modify the code and get the session information of other users

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in `Post Duplicator Plugin – 2.23` Product

Reported to WordPress team

Vendor fixed the issue

CSW assigned the CVE Identifier (CVE-2021-33852)

Cite, verify, go deeper.

NVD — CVE-2021-33852

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.