{"id":7468,"date":"2022-01-07T18:51:49","date_gmt":"2022-01-08T01:51:49","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7468"},"modified":"2023-04-05T12:36:20","modified_gmt":"2023-04-05T19:36:20","slug":"securin-discovers-a-stored-cross-site-scripting-vulnerability-in-wordpress-customize-login-image","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/securin-discovers-a-stored-cross-site-scripting-vulnerability-in-wordpress-customize-login-image\/","title":{"rendered":"Securin (previously CSW) Discovers a Stored Cross-Site Scripting Vulnerability in WordPress Customize Login Image"},"content":{"rendered":"<p dir=\"ltr\">Cyber Security Works has <a href=\"https:\/\/cybersecurityworks.com\/zerodays\/cve-2021-33851-stored-cross-site-scxxxripting-in-wordpress-customize-login-image.html\">discovered<\/a>\u00a0a new zero-day (Stored Cross-Site Scripting) vulnerability, CVE-2021-33851 in WordPress Customize Login Image. Customize Login Image is a plugin that allows users to customize the image and the appearance of the WordPress Login Screen.<\/p>\n<blockquote>\n<p dir=\"ltr\">Stored Cross-Site Scripting (also known as second-order or persistent XSS) occurs when an application acquires data from an untrusted source and incorporates that data in an unsafe manner in subsequent HTTP replies.<\/p>\n<\/blockquote>\n<h2 dir=\"ltr\">Description<\/h2>\n<p dir=\"ltr\">Customize Login Image version 3.4 is vulnerable to Cross-Site Scripting (XSS) attacks that can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website. The XSS payload executes whenever the user opens the login page of the WordPress application.<\/p>\n<p dir=\"ltr\">This vulnerability has been assigned a CWE of CWE-79, which results in Improper Neutralization of Input during Web Page Generation. It is worth noting that CWE-79 is featured in the OWASP Top 10:2021 under A03:2021\u00a0 (Injection) and is ranked second in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.<\/p>\n<h2 dir=\"ltr\">Proof-of-Concept<\/h2>\n<p dir=\"ltr\">The following vulnerability was discovered in Customize Login Image version 3.4.<\/p>\n<p dir=\"ltr\"><strong>Issue: Stored Cross-Site Scripting<\/strong><\/p>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Login to the WordPress application.<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><strong>Note:<\/strong> A virtual host (wptest.com) is used for testing the application locally.<\/p>\n<ol start=\"2\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Install the Customize Login Image Plugin.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Go to the \u2018Settings\u2019 menu and click on the \u2018Customize Login Image\u2019 drop list.<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/kzVD-Yxga4k9-GviJ75jnl8aSlcUn6bJkRiWLDUekVSZ0Qvfzvjlehm1X9WyhB6xokaUmyHX7eM4VJHKicshmlgg6uRaI00r8HLnerrPFnVPBF8VSrui-no-tsIY7q5QzYgT3bbe\" width=\"562\" height=\"298\" \/><\/p>\n<p dir=\"ltr\"><strong>Figure 01:<\/strong> Customize Login Image Plugin<\/p>\n<p>&nbsp;<\/p>\n<ol start=\"4\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Enter the payload &#8211; &lt;script&gt;alert(document.cookie)&lt;\/script&gt; in the \u2018Custom Logo Link\u2019 field (cli_logo_url parameter).<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/yi_g7kIjLxcKdR4T5ZbDuzoBvcLawM7C9GPqHPP7-g4SzXR2yXUVor8aaNj7d-F95eX6pH2W8BYgHJW7_JJbTKX_WVQ_0Nq-bga37maDi_5TQI3yEwGAljpEQ8tM95H32aHis5Nv\" width=\"549\" height=\"290\" \/><\/p>\n<p dir=\"ltr\"><strong>Figure 02:<\/strong> Entering encoded\u00a0 XSS payload in the\u00a0 \u2018Custom Logo Link\u2019 field<\/p>\n<ol start=\"5\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Click on the \u2018Save Changes\u2019 button<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Go to the WordPress login page at \/wp-login.php .<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/G8Qbl75raaxVWx43dPEZ4BBkSfgNlvx7pA3ZJ1OAEbh3FhdU27x4yE9gO_B2f2Br_Zpbmac8dqEZ5J122yk9MAiw7ZfqXawjYRBm3M8hx7Yw60Ra-s-aTeqtqz_5cFgjaZNZWzhS\" width=\"549\" height=\"284\" \/><\/p>\n<p dir=\"ltr\"><strong>Figure 03:<\/strong> Injected XSS payload is executed and displays an alert box containing the user\u2019s cookies.<\/p>\n<h2 dir=\"ltr\">Impact<\/h2>\n<p dir=\"ltr\">An attacker can perform the following:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Modify the code and get the session information of other users.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Compromise the user machine.<\/p>\n<\/li>\n<\/ul>\n<h2 dir=\"ltr\">Remediation<\/h2>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Explicitly set the character set encoding for each page generated by the webserver.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Encode dynamic output elements and filter specific characters in dynamic elements.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/lT42DDeRgANpDdxEa7B7agL7SoViefBhVXJ4xtka0G_9RfEB-kd4jVWTHolYOr_td0ju9zsnGoH0MYyQxsTTYqAkmMiS7HYS47E1n8ApAeZG_dJwYwNvjtwzmxBWv9BLhcGMpYSQ\" width=\"521\" height=\"308\" \/><\/p>\n<p dir=\"ltr\"><strong>Figure 04:<\/strong> The default Cross-Site Scripting mitigation setting in wp.config file to prevent XSS attacks<\/p>\n<h2 dir=\"ltr\">Timeline<\/h2>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 550px; height: 550px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/51st-zero-day-timeline-1.png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\"><strong>Contribution Credits: <\/strong>Gautham Sriram<\/p>\n<p dir=\"ltr\">\n","protected":false},"excerpt":{"rendered":"<p>Cyber Security Works has discovered a new zero-day (Stored Cross-Site Scripting) vulnerability, CVE-2021-33851 in WordPress Customize Login Image.<\/p>\n","protected":false},"author":1,"featured_media":7469,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[82,80,154],"tags":[360,454,432,531,521,149],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7468"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7468"}],"version-history":[{"count":4,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7468\/revisions"}],"predecessor-version":[{"id":17385,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7468\/revisions\/17385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7469"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}