CVE-2018-16363 Scanner

WordPress File Manager is a plugin used by website administrators to manage files directly from the WordPress admin dashboard. It is widely used for its ease of access to the files system without the need for an FTP client. The plugin allows admins to upload, delete, copy, move, rename, archive, and extract files from within the WordPress interface. It's particularly popular among non-technical users as it provides an intuitive graphical interface. The plugin aims to simplify file management tasks, especially for those who are not comfortable using traditional command-line interfaces or FTP. Its usefulness becomes apparent in the quick management of files for updates or small adjustments on WordPress sites.

The Cross-Site Scripting (XSS) vulnerability in WordPress File Manager affects versions below 3.0 and allows authenticated users to inject malicious scripts into the admin dashboard. This type of vulnerability occurs when user input is improperly sanitized and gets executed in the context of the administrator's session. The vulnerability exploits the 'lang' parameter, which is echoed into a JavaScript context without adequate encoding or sanitization. Authenticated reflected XSS attacks leverage the user's minute of session privileges to escalate the attack surface. Attackers can use XSS to inject scripts that steal session tokens, perform actions on behalf of users, or propagate attacks. Overall, such vulnerabilities compromise the integrity, confidentiality, and availability of the affected web application.

The technical details of this XSS vulnerability revolve around the improper sanitization of the 'lang' parameter within the WordPress File Manager plugin. Specifically, the script payload `` can be placed within this parameter without being escaped or sanitized. The vulnerability requires that a URL containing the crafted script be accessed within an authenticated WordPress admin session. When this crafted URL is processed by WordPress, the JavaScript executes with the permissions of the logged-in admin, effectively executing within the application context. This unsanitized echoing into the JavaScript context poses a substantial risk of script injection attacks when a maliciously crafted URL is visited during a session.

The exploitation of this Cross-Site Scripting vulnerability could have severe consequences. A successful attack might allow an attacker to gain admin privileges by stealing session cookies, redirecting users or performing further phishing attacks. The execution of unauthorized commands could lead to data exposure, data alteration or degradation of service as administrators execute unintended commands. Not only could this result in the loss of trust and service degradation, but it may also lead to compliance violations and privacy breaches. Ultimately, exploitation can cause significant reputational damage to organizations relying on WordPress for their website infrastructure.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2018-16363
• https://wpscan.com/vulnerability/65e4849b-6517-400d-884f-65234f58ab0c/
• https://plugins.trac.wordpress.org/changeset/1936043
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16363