← Back Published on 10th May 2023

Pre-Authentication XSS Vulnerability in WH Testimonials WordPress Plugin (CVE-2023-1372)

Introduction

WH Testimonials Plugin v3.0.0 is a widely-used WordPress plugin for managing and displaying testimonials on websites. The plugin offers several customization options for testimonial layouts. However, our team at Yaspresents has discovered a cross-site scripting (XSS) vulnerability that can enable an attacker to inject and execute malicious code within a victim's browser context.

Description of the Vulnerability

The vulnerability results from insufficient validation of user input in the "wh_homepage" POST parameter. Attackers can inject malicious code into this parameter, which is then reflected back to the victim upon visiting the compromised page.

Proof of Concept

Our team has provided a proof of concept using the following curl command to demonstrate the vulnerability:

[Proof of Concept Code Here]

Impact of the Vulnerability

Exploiting this vulnerability allows attackers to steal sensitive information such as cookies, session tokens, and other crucial data. Attackers can also perform unauthorized actions on the victim's behalf, including altering account settings, posting spam, or installing malware.

Exploitation

To exploit this vulnerability, attackers can create a malicious request containing the payload mentioned above and send it to the vulnerable server. When the server processes the request, it reflects the payload back to the victim's browser, which then executes the injected code. For instance, the attacker could send a phishing email containing a link to the compromised page, and upon clicking the link, the victim's browser would execute the injected code, allowing the attacker to steal sensitive information.

Mitigation

To mitigate the vulnerability, plugin developers should validate and sanitize user input before processing it. They should also implement output encoding to prevent malicious code injection. Users should keep their plugins and WordPress installations up-to-date to minimize the risk of exploitation.

Remediation

Developers should implement input validation and sanitization for all user-supplied input to prevent malicious code injection. The "wh_homepage" parameter input should be sanitized to remove any potentially harmful code, such as script tags or other HTML/JavaScript markup.