Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products
On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin developer responded the same day and we provided full disclosure.
Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.
A patched version of the Weaver Show Posts plugin, 1.7, was released on April 1, 2023, while the patched version 6.2 of the Weaver Xtreme theme became available on April 5, 2023.
Vulnerability Summary from Wordfence Intelligence
Affected Theme: Weaver Xtreme
Theme Slug: weaver-xtreme
Affected Versions: <= 5.0.7
CVE ID: CVE-2023-1403
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 6.2
The Weaver Xtreme theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected Plugin: Weaver Show Posts
Plugin Slug: show-posts
Affected Versions: <= 1.6
CVE ID: CVE-2023-1404
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Alex Thomas
Fully Patched Version: 1.7
The Weaver Show Posts plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Vulnerability Analysis
Both the Weaver Xtreme theme and the Weaver Show Posts plugin contain author attribution functionality that can be used by site visitors to view all posts by a given author. Although the function in question used escaping to prevent Cross-Site Scripting, the order of the functions used meant that the author name was not actually escaped upon output:
This is the sort of mistake that would be very difficult to spot via a manual code review – it looks correct and was almost certainly intended to prevent exactly the sort of issue we found. We only spotted it because one of the author names on our test platform was prepopulated with a Cross-Site Scripting payload, which fired when testing an unrelated issue.
The reason this is vulnerable is that the esc_attr
function runs before the sprintf
function populates the unescaped output of the get_the_author
function.
The patched version simply escapes the output of get_the_author
and then wraps the entire block in wp_kses_post
for good measure:
This type of vulnerability emphasizes the need for dynamic security testing in addition to code review, as vulnerabilities are often hiding in plain sight.
While this type of vulnerability does require a trusted (contributor+) attacker in most configurations to exploit, Cross-Site Scripting can be used to take over a website, for instance, if an administrator views or previews a post by a contributor with malicious JavaScript hidden in their author name. On sites that use contributors, it is required for administrators or editors to review posts by contributors in order to publish them, so this is a genuine risk for sites that make use of this functionality.
Disclosure Timeline
March 14, 2023 – Two members of our Threat Intelligence team, Ramuel Gall and Alex Thomas, find similar issues in the Weaver Xtreme theme and Weaver Show Posts plugin. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly.
April 1, 2023 – The Weaver Show Posts plugin receives a patch in version 1.7.
April 5, 2023 – The Weaver Xtreme theme receives a patch in version 6.2.
April 13, 2023 – The firewall rule becomes available to all Wordfence users.
Conclusion
In today’s post, we detailed two flaws in the Weaver Xtreme theme and Weaver Show Posts plugin that enabled authenticated attackers, with at least contributor-level access to a site, to inject JavaScript via their display name which could ultimately lead to complete site compromise. This flaw has been fully patched in version 1.7 of Weaver Show Posts and 6.2 of Weaver Xtreme. We recommend that WordPress users immediately verify that their site has been updated to the latest patched versions available.
Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.
If you know a friend or colleague who is using the Weaver Xtreme theme or Weaver Show Posts plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected.
If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.
Special thanks to Senior Web Application Vulnerability Researcher Alex Thomas for finding the second vulnerability in the Weaver Show Posts plugin shortly after the initial discovery of the Weaver Xtreme theme vulnerability.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments
8:28 am
Is AI used to uncover security vulnerabilities?
9:20 am
Hi,
This vulnerability wasn't uncovered via AI, just luck and habit, but there are researchers out there who are working on that capability.
8:56 am
Wouldnt the most secure version be to run esc_attr around the translated and sprintfed title? Since the translation function could potentially return content that must be escaped for attributes and esc_html doesnt escape quotation marks. Or am I missing something here?
9:11 am
Frequently doing things the most secure way possible involves sacrifices that most users aren't willing to make - in this case using
esc_attr
around everything else would likely break a number of potential titles, but it's not really necessary sinceesc_html
does escape double quotes to"
and single quotes to& #039;
. Add inwp_kses_post
and it's sufficiently secure.