Stored XSS in Global Body Mass Index Calculator WordPress Plugin

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting via the 'gbmicalc' shortcode in the Global Body Mass Index Calculator WordPress plugin. Detection involves identifying if your WordPress installation uses this plugin version 1.2 or earlier and checking for injected scripts in pages using the shortcode.

You can search your WordPress database for instances of the 'gbmicalc' shortcode containing suspicious or unexpected script tags or HTML attribute breakouts.

Example commands to detect potential exploitation include:

• Using WP-CLI to search posts for the shortcode with suspicious content: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[gbmicalc%<script%'"
• Using grep on exported content or backups: grep -r '\[gbmicalc.*<script' /path/to/wordpress/wp-content/
• Monitoring HTTP responses for injected scripts on pages that use the shortcode.

Useful 0 Not Useful 0

Executive Summary

The Global Body Mass Index Calculator plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.2. This occurs because the plugin does not properly sanitize or escape user-supplied shortcode attributes in the GBMI_Calc_Widget::widget() function.

Specifically, shortcode attributes are extracted directly into local variables and then echoed without escaping into HTML style attributes and body context, which allows attackers to inject malicious scripts.

Authenticated users with contributor-level access or higher can exploit this to inject arbitrary web scripts that execute whenever a user views the infected page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with contributor-level access or above to inject malicious scripts into pages on a WordPress site using the vulnerable plugin.

When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.

Because the attack is stored, the malicious code persists on the site and affects all visitors to the compromised pages.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should:

• Update the Global Body Mass Index Calculator plugin to a version later than 1.2 where the vulnerability is fixed.
• If an update is not available, disable or remove the plugin to prevent exploitation.
• Restrict contributor-level and higher user permissions to trusted users only, as exploitation requires authenticated contributor access.
• Scan your site for injected scripts and remove any malicious content found.
• Implement Web Application Firewall (WAF) rules to block common XSS payloads targeting this shortcode.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers with contributor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access to user data or session hijacking when users access the injected pages.

Such unauthorized script execution can compromise the confidentiality and integrity of user data, potentially violating data protection requirements under standards like GDPR and HIPAA.

Therefore, this vulnerability may negatively impact compliance with these regulations by exposing personal or sensitive information through cross-site scripting attacks.

Useful 0 Not Useful 0