{"id":7468,"date":"2022-01-07T18:51:49","date_gmt":"2022-01-08T01:51:49","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7468"},"modified":"2023-04-05T12:36:20","modified_gmt":"2023-04-05T19:36:20","slug":"securin-discovers-a-stored-cross-site-scripting-vulnerability-in-wordpress-customize-login-image","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securin-discovers-a-stored-cross-site-scripting-vulnerability-in-wordpress-customize-login-image\/","title":{"rendered":"Securin (previously CSW) Discovers a Stored Cross-Site Scripting Vulnerability in WordPress Customize Login Image"},"content":{"rendered":"

Cyber Security Works has discovered<\/a>\u00a0a new zero-day (Stored Cross-Site Scripting) vulnerability, CVE-2021-33851 in WordPress Customize Login Image. Customize Login Image is a plugin that allows users to customize the image and the appearance of the WordPress Login Screen.<\/p>\n

\n

Stored Cross-Site Scripting (also known as second-order or persistent XSS) occurs when an application acquires data from an untrusted source and incorporates that data in an unsafe manner in subsequent HTTP replies.<\/p>\n<\/blockquote>\n

Description<\/h2>\n

Customize Login Image version 3.4 is vulnerable to Cross-Site Scripting (XSS) attacks that can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The XSS payload executes whenever the user opens the login page of the WordPress application.<\/p>\n

This vulnerability has been assigned a CWE of CWE-79, which results in Improper Neutralization of Input during Web Page Generation. It is worth noting that CWE-79 is featured in the OWASP Top 10:2021 under A03:2021\u00a0 (Injection) and is ranked second in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.<\/p>\n

Proof-of-Concept<\/h2>\n

The following vulnerability was discovered in Customize Login Image version 3.4.<\/p>\n

Issue: Stored Cross-Site Scripting<\/strong><\/p>\n

    \n
  1. \n

    Login to the WordPress application.<\/p>\n<\/li>\n<\/ol>\n

    Note:<\/strong> A virtual host (wptest.com) is used for testing the application locally.<\/p>\n

      \n
    1. \n

      Install the Customize Login Image Plugin.<\/p>\n<\/li>\n

    2. \n

      Go to the \u2018Settings\u2019 menu and click on the \u2018Customize Login Image\u2019 drop list.<\/p>\n<\/li>\n<\/ol>\n

      <\/p>\n

      Figure 01:<\/strong> Customize Login Image Plugin<\/p>\n

       <\/p>\n

        \n
      1. \n

        Enter the payload – <script>alert(document.cookie)<\/script> in the \u2018Custom Logo Link\u2019 field (cli_logo_url parameter).<\/p>\n<\/li>\n<\/ol>\n

        <\/p>\n

        Figure 02:<\/strong> Entering encoded\u00a0 XSS payload in the\u00a0 \u2018Custom Logo Link\u2019 field<\/p>\n

          \n
        1. \n

          Click on the \u2018Save Changes\u2019 button<\/p>\n<\/li>\n

        2. \n

          Go to the WordPress login page at \/wp-login.php .<\/p>\n<\/li>\n<\/ol>\n

          <\/p>\n

          Figure 03:<\/strong> Injected XSS payload is executed and displays an alert box containing the user\u2019s cookies.<\/p>\n

          Impact<\/h2>\n

          An attacker can perform the following:<\/p>\n

            \n
          • \n

            Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.<\/p>\n<\/li>\n

          • \n

            Modify the code and get the session information of other users.<\/p>\n<\/li>\n

          • \n

            Compromise the user machine.<\/p>\n<\/li>\n<\/ul>\n

            Remediation<\/h2>\n
              \n
            • \n

              Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.<\/p>\n<\/li>\n

            • \n

              Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.<\/p>\n<\/li>\n

            • \n

              Explicitly set the character set encoding for each page generated by the webserver.<\/p>\n<\/li>\n

            • \n

              Encode dynamic output elements and filter specific characters in dynamic elements.<\/p>\n<\/li>\n<\/ul>\n

              <\/p>\n

              Figure 04:<\/strong> The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacks<\/p>\n

              Timeline<\/h2>\n

              \"\"<\/p>\n

              Contribution Credits: <\/strong>Gautham Sriram<\/p>\n

              \n","protected":false},"excerpt":{"rendered":"

              Cyber Security Works has discovered a new zero-day (Stored Cross-Site Scripting) vulnerability, CVE-2021-33851 in WordPress Customize Login Image.<\/p>\n","protected":false},"author":1,"featured_media":7469,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,80,154],"tags":[360,454,432,531,521,149],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7468"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7468"}],"version-history":[{"count":4,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7468\/revisions"}],"predecessor-version":[{"id":17385,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7468\/revisions\/17385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7469"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}