Can you explain this vulnerability to me?

The Custom New User Notification plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.2.0. This occurs because the plugin does not properly sanitize or escape input in several admin settings fields such as 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'.

Authenticated users with Administrator-level access or higher can inject malicious scripts into these settings. These scripts then execute whenever a user accesses the plugin settings page. In multi-site WordPress installations, subsite administrators could exploit this to target super administrators.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows attackers with administrator privileges to inject and execute arbitrary web scripts within the plugin settings page. This can lead to unauthorized actions such as stealing session cookies, defacing the admin interface, or performing actions on behalf of other administrators.

In multi-site environments, it could allow subsite administrators to compromise super administrators, potentially leading to a wider compromise of the entire WordPress network.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated administrators to inject arbitrary scripts into the plugin settings page, which could lead to unauthorized actions or data exposure within WordPress multisite environments.

Such unauthorized script execution and potential data compromise could negatively impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure system configurations.

However, the provided information does not explicitly detail the direct impact on compliance frameworks.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update the Custom New User Notification plugin for WordPress to a version later than 1.2.0 where the issue is fixed.

Additionally, restrict administrator-level access to trusted users only, as the vulnerability requires authenticated attackers with administrator privileges.

Consider reviewing and sanitizing the plugin's settings fields manually if an immediate update is not possible, to prevent injection of malicious scripts.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the Custom New User Notification plugin for WordPress versions up to and including 1.2.0. Detection involves identifying if this plugin and vulnerable versions are installed on your WordPress site.

You can check the installed plugin version via WP-CLI with the following command:

• wp plugin list --status=active

Look for the 'custom-new-user-notification' plugin and verify if its version is 1.2.0 or below.

Additionally, to detect potential exploitation or malicious input, you can search the WordPress database options table for suspicious script tags in the plugin settings fields such as 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'. For example, using MySQL commands:

• SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%custom_new_user_notification%' AND option_value LIKE '%<script>%';

Note that exact option names may vary depending on the plugin implementation.

Network detection is limited as this is a stored XSS vulnerability triggered in the admin interface; monitoring HTTP requests to the plugin's admin settings page for suspicious payloads may help but is not straightforward.

Useful 0 Not Useful 0