Ransomware Q2 & Q3 Report is live now!
Back to all zero days

CSW Zero Days | Reflected Cross-Site Scripting in WordPress

Affected Vendor

Welaunch

Status

Fixed

Date

Mar 25, 2022

Medium Severity

Description

Reflected Cross-Site Scripting attacks are also known as non-persistent attacks which occur when a malicious script is reflected back from a web application to the victim's browser. The script is activated through a link, which sends a request to the website with a vulnerability that enables the execution of malicious scripts.

Proof of concept: (POC)

  1. After installing the Country Selector Plugin, go to the homepage of the WordPress site.

  2. Capture all the requests and find the POST request to the AJAX call of check_country_selector.

Figure 01: Original AJAX Request

  1. Enter the payload - <img+src=x+onerror=alert(document.cookie)> in the country parameter and <img+src=x+onerror=alert(document.cookie)> in the lang parameter.

Figure 02: Injected XSS Payloads in “country” and “lang” Parameter

  1. Forward the request

  2. Injected XSS payload will be reflected and triggered on the user’s browser.

Figure 03: Injected JavaScript Code for “lang” and “country” Parameters is Executed On The User’s Browser

Figure 04: The Default Cross-Site Scripting Mitigation Setting in wp.config file to Prevent XSS Attacks

Impact

An attacker can perform the following -

  • Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

  • Modify the code and get the session information of other users.

  • Compromise the user machine.

Remediations

  • Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

  • Implement input validation for special characters on all the variables that are reflected in the browser and stored in the database.

  • Explicitly set the character set encoding for each page generated by the webserver.

  • Encode dynamic output elements and filter specific characters in dynamic elements.

Timeline

March 24, 2022: Discovered in `WordPress Country Selector Plugin Version 1.6.5` Product

March 25, 2022: Reported to Welaunch

March 29, 2022: Acknowledged by Welaunch

March 30, 2022: Vendor Released Patch for XSS Vulnerability

March 31, 2022: CSW Assigned the CVE-2022-28290

Discovered by

Cyber Security Works Pvt. Ltd.


  • Affected VendorWelaunch
  • Bug NameReflected Cross-Site Scripting
  • CVE NumberCVE-2022-28290
  • CWE IDCWE-79
  • CSW ID2022-CSW-03-1055
  • CVSSv3 Score6.1
  • Affected VersionVersion 1.6.5
  • SeverityMedium
  • Affected ProductWordPress Country Selector
fb icon twitter icon insta icon

Talk to CSW's team of experts to secure your landscape.