Executive Summary

The Astra theme for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 4.12.3. This vulnerability exists because the theme does not properly sanitize input or escape output for certain post meta fields named `ast-page-background-meta` and `ast-content-background-meta`. Specifically, the function `astra_get_responsive_background_obj()` fails to escape four CSS-related sub-properties: background-color, background-image, overlay-color, and overlay-gradient. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages. These scripts will execute whenever any user views the affected page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to inject arbitrary JavaScript code into pages via specific post meta fields. The injected scripts execute in the browsers of users who visit those pages, potentially leading to unauthorized actions such as session hijacking, defacement, or theft of sensitive information. Because the vulnerability is a Stored Cross-Site Scripting flaw, the malicious code persists on the site and affects all visitors to the compromised pages.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in the Astra WordPress theme up to version 4.12.3. Detection involves identifying posts or pages with malicious scripts injected into these meta fields.

To detect exploitation on your WordPress system, you can query the WordPress database for suspicious content in these meta fields. For example, using MySQL commands to search for script tags or suspicious JavaScript in the `wp_postmeta` table:

• SELECT * FROM wp_postmeta WHERE meta_key IN ('ast-page-background-meta', 'ast-content-background-meta') AND meta_value LIKE '%<script>%';

Additionally, monitoring HTTP traffic for unusual script execution or unexpected JavaScript payloads on pages using the Astra theme may help detect exploitation attempts.

Note that the vulnerability requires authenticated users with Contributor-level access or higher to inject scripts, so reviewing user activity logs for suspicious edits to posts or pages may also assist in detection.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the Astra theme to a version later than 4.12.3 where this vulnerability is fixed.

Until an update is applied, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with such access to exploit.

Additionally, consider implementing Web Application Firewall (WAF) rules to block or sanitize suspicious input in the affected meta fields.

Review and sanitize existing post meta data for injected scripts in the `ast-page-background-meta` and `ast-content-background-meta` fields to remove any malicious content.

Useful 0 Not Useful 0