On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin developer responded the same day and we provided full disclosure.

Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.

A patched version of the Weaver Show Posts plugin, 1.7, was released on April 1, 2023, while the patched version 6.2 of the Weaver Xtreme theme became available on April 5, 2023.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.

Vulnerability Summary From Wordfence Intelligence

Description:Weaver Xtreme Theme <= 5.0.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name 

Affected Theme: Weaver Xtreme 

Theme Slug: weaver-xtreme

Affected Versions: <= 5.0.7

CVE ID: CVE-2023-1403 

CVSS Score: 6.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 

Researcher/s: Ramuel Gall 

Fully Patched Version: 6.2

The Weaver Xtreme theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Description: Weaver Show Posts <= 1.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name 

Affected Plugin: Weaver Show Posts 

Plugin Slug: show-posts

Affected Versions: <= 1.6

CVE ID: CVE-2023-1404 

CVSS Score: 6.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 

Researcher/s: Alex Thomas 

Fully Patched Version: 1.7

The Weaver Show Posts plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability Analysis

Both the Weaver Xtreme theme and the Weaver Show Posts plugin contain author attribution functionality that can be used by site visitors to view all posts by a given author. Although the function in question used escaping to prevent Cross-Site Scripting, the order of the functions used meant that the author name was not actually escaped upon output:

sprintf 

This is the sort of mistake that would be very difficult to spot via a manual code review - it looks correct and was almost certainly intended to prevent exactly the sort of issue we found. We only spotted it because one of the author names on our test platform was prepopulated with a Cross-Site Scripting payload, which fired when testing an unrelated issue.

The reason this is vulnerable is that the esc_attr function runs before the sprintf function populates the unescaped output of the get_the_author function.

The patched version simply escapes the output of get_the_author and then wraps the entire block in wp_kses_post for good measure:

fixed 

This type of vulnerability emphasizes the need for dynamic security testing in addition to code review, as vulnerabilities are often hiding in plain sight.

While this type of vulnerability does require a trusted (contributor+) attacker in most configurations to exploit, Cross-Site Scripting can be used to take over a website, for instance, if an administrator views or previews a post by a contributor with malicious JavaScript hidden in their author name.

On sites that use contributors, it is required for administrators or editors to review posts by contributors in order to publish them, so this is a genuine risk for sites that make use of this functionality.

Disclosure Timeline

March 14, 2023 - Two members of our Threat Intelligence team, Ramuel Gall and Alex Thomas, find similar issues in the Weaver Xtreme theme and Weaver Show Posts plugin. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly.

April 1, 2023 - The Weaver Show Posts plugin receives a patch in version 1.7.

April 5, 2023 - The Weaver Xtreme theme receives a patch in version 6.2.

April 13, 2023 - The firewall rule becomes available to all Wordfence users.

Conclusion

In today’s post, we detailed two flaws in the Weaver Xtreme theme and Weaver Show Posts plugin that enabled authenticated attackers, with at least contributor-level access to a site, to inject JavaScript via their display name which could ultimately lead to complete site compromise. This flaw has been fully patched in version 1.7 of Weaver Show Posts and 6.2 of Weaver Xtreme. We recommend that WordPress users immediately verify that their site has been updated to the latest patched versions available.

Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.

If you know a friend or colleague who is using the Weaver Xtreme theme or Weaver Show Posts plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

Special thanks to Senior Web Application Vulnerability Researcher Alex Thomas for finding the second vulnerability in the Weaver Show Posts plugin shortly after the initial discovery of the Weaver Xtreme theme vulnerability.