Executive Summary

CVE-2022-50797 is a persistent cross-site scripting (XSS) vulnerability in the Stripe Green Downloads WordPress Plugin version 2.03. It allows remote attackers with authenticated, low-privilege (moderator-level) access to inject malicious scripts into button label fields within the plugin's settings. These scripts persist on the server and execute in the admin panel's preview context, enabling attackers to hijack user sessions, manipulate application modules, perform phishing attacks, and redirect users to malicious sites. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to session hijacking, allowing attackers to take over user sessions. It also enables manipulation of application modules, non-persistent phishing attacks, and redirection to malicious external sites. Since the malicious scripts persist, attackers can maintain long-term access and control within the affected WordPress installation, compromising confidentiality and integrity of the system. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for persistent cross-site scripting (XSS) in the Stripe Green Downloads WordPress Plugin version 2.03, specifically by testing the input fields in the admin panel's settings for the button labels. The vulnerable parameters are `idcore-button-label`, `idcore-button-label-processing`, and `idcore-button-label-download`. Detection involves sending POST requests with script payloads to these parameters via AJAX to `/stripe/script/ajax.php` and observing if the scripts persist and execute in the preview context at `/stripe/script/?page=idcore-settings`. Example detection commands could include using curl to send POST requests with test scripts to these parameters and then verifying if the scripts appear in the admin preview page. For example: `curl -X POST -d "idcore-button-label=<script>alert(1)</script>" https://your-site.com/stripe/script/ajax.php` followed by checking the preview page for script execution. Note that authenticated access with moderator privileges is required to perform these tests. [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Restricting access to the admin panel to trusted users only, especially limiting moderator-level privileges to prevent unauthorized script injection. 2) Avoid using or updating the Stripe Green Downloads WordPress Plugin version 2.03 until a patched version is available. 3) If possible, apply input validation or sanitization on the affected input fields (`idcore-button-label`, `idcore-button-label-processing`, `idcore-button-label-download`) to prevent script injection. 4) Monitor and audit plugin settings for any suspicious or unexpected script content in button label fields. 5) Consider disabling or removing the plugin temporarily to prevent exploitation. These steps help reduce the risk of persistent XSS exploitation leading to session hijacking and application manipulation. [1, 3]

Useful 0 Not Useful 0