Missing Authorization and Cross-Site Scripting vulnerabilities patched in Shield Security, a security plugin with over 50,000 installations.
One of these vulnerabilities allowed unauthenticated attackers to inject malicious JavaScript into an administrator dashboard in some configurations, while another allowed authenticated attackers to spoof log entries into the same dashboard, which could also be used to exploit the first vulnerability in configurations where the unauthenticated technique was not viable.
The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the ‘User-Agent’ header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the ‘theme-plugin-file’ AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.
Vulnerability Analysis
The Shield Security plugin includes a number of features, including an audit log that records certain types of suspicious activity, such as plugin and theme installation, modification, post-deletion, and other types of activity that might impact the site. While most of these events require authentication or higher privileges in order to trigger, we found that certain events could be triggered by unauthenticated users. In particular, failed attempts to authenticate using application passwords, new user registrations, and spam activity are among the actions recorded for unauthenticated users.
The audit log records metadata about the client that performed the logged activity, including the client’s User-Agent, which can be accessed by clicking the “Meta” tag icon on an audit log entry. Unfortunately, the metadata was not escaped when it was output. While most of the metadata collected about a request has a very strict format and can only be spoofed to a limited extent, User-Agent strings are alphanumeric, and we were able to inject a script in an iframe in the User-Agent header that fired when an administrator viewed an event entry:.
While this exploit does technically require user interaction, it can be considered “Passive” user interaction, that is, it does not require tricking the administrator into performing any actions they might not have performed otherwise. Depending on the payload used, an attacker could use the script executing in the administrator’s browser to create a new administrator account under their control. Additionally, this exploit can be automated and can be exploited by unauthenticated attackers via a variety of vectors, at least one of which is likely to be present in most common site configurations. As such it earns its High severity rating.
The second vulnerability was much lower in severity and consisted of a missing authorization check on the ‘edit-theme-plugin-file’ AJAX action, which is used to record edits to a plugin or theme file. The primary consequence of this is that an authenticated attacker can spoof an audit log entry indicating that any file belonging to any plugin or theme on the site was edited. While this is primarily a nuisance, since it can be used to create audit log entries it is yet another vector to exploit the aforementioned Cross-Site Scripting vulnerability.
