Executive Summary

The Short Comment Filter plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'Minimum Count' settings field in all versions up to and including 2.2.

This vulnerability exists because the plugin does not properly sanitize input (no sanitize callback on register_setting) and does not escape output (no esc_attr() on the echoed value in the input's value attribute).

As a result, an authenticated attacker with administrator-level access or higher can inject arbitrary web scripts into the settings page. These scripts execute whenever a user accesses that page.

This issue is especially significant in WordPress multisite installations or when the DISALLOW_UNFILTERED_HTML setting is enabled, as administrators in these contexts do not have the unfiltered_html capability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with administrator-level access to inject malicious scripts into the WordPress settings page.

These scripts can execute in the context of users who visit the settings page, potentially leading to unauthorized actions, data theft, or further compromise of the site.

The impact is heightened in multisite WordPress installations or when DISALLOW_UNFILTERED_HTML is set, as administrators cannot use unfiltered HTML, making this vulnerability a primary vector for script injection.

According to the CVSS v3.1 score, the vulnerability has a base score of 4.4, indicating a medium severity with low confidentiality and integrity impact but no availability impact.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the Short Comment Filter plugin to a version later than 2.2 where the issue is fixed.

Ensure that only trusted administrators have access to the WordPress settings page, as the vulnerability requires administrator-level access.

Consider disabling or restricting the use of the 'Minimum Count' settings field until the plugin is updated.

In WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, review administrator capabilities to limit exposure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the Short Comment Filter plugin for WordPress versions up to and including 2.2, specifically via the 'Minimum Count' settings field. Detection involves checking if the vulnerable plugin version is installed and if the 'Minimum Count' option contains malicious script injections.

To detect this vulnerability on your system, you can:

• Verify the installed version of the Short Comment Filter plugin to see if it is version 2.2 or earlier.
• Inspect the WordPress database options table for suspicious or script-injected values in the 'Minimum Count' setting.
• Check the settings page of the Short Comment Filter plugin for unexpected or malicious scripts executing when accessed by an administrator.

Example commands to assist detection:

• To check the plugin version via WP-CLI: wp plugin list --status=active | grep short-comment-filter
• To query the 'Minimum Count' option from the WordPress database (assuming default table prefix wp_): mysql -u [user] -p -e "SELECT option_value FROM wp_options WHERE option_name = 'short_comment_filter_minimum_count';"
• To search for suspicious script tags in the option value: Use grep or similar tools on database dumps or export the option value and inspect for <script> tags or other injected code.

Useful 0 Not Useful 0