Estimated Reading Time: three minute
In a previous blog, we looked at an XSS vulnerability within the Bookly plugin (WordPress Online Booking and Scheduling Plugin – Bookly). Today, we’re going to look at another XSS vulnerability revealed during research on the same plugin.
Our team discovered this vulnerability in March 2023. We initiated responsible disclosure procedures immediately after discovery to ensure that vulnerabilities can be addressed quickly. The CVE identifier assigned to this vulnerability is CVE-2023-1159 and was successfully patched in May 2023.
This blog post provides a comprehensive root cause analysis of the vulnerability found in the Bookly plugin. We will also review released patches to effectively mitigate this issue.
to analyze CVE-2023-1159 – Cross-Site Scripting Stored Authenticated (Admin+) Via Service Title:
Our research identified a vulnerability in the Bookly plugin related to the “Service Title” field. This vulnerability exposes the plug-in to stored XSS (cross-site scripting) attacks due to insufficient input sanitization measures. It’s important to note that admins can edit or set titles directly through the plugin interface.
Upon further investigation, we found that if a malicious title is set within a service, it is rendered and executed in the client’s browser without the user’s knowledge or consent when the client accesses the service. This execution could potentially enable remote code execution, which poses significant security risks.
For better understanding, the following code snippet shows how to set and read the value of the “Service Title” field while creating a new service.
Figure 1. The createService method called when a new service is created.
‘createService’ calls the ‘parameters’ method.
Figure 2. Shows the parameter method.
Inside the ‘parameters’ method there is a call to the ‘getRequest()’ function. This function is responsible for retrieving the input value from the interface. As a result, this value is passed to the ‘createService’ method where it is saved. However, it is important to emphasize that input sanitization does not occur during this process, leaving the system vulnerable to potential security risks.
Figure 3. Shows the getRequest method.
Fix Disclosure: Patch Investigation
A review of the patch addressing the vulnerability confirmed that the $parameters variable was properly sanitized, effectively preventing potential security breaches within the program. This notable improvement includes the implementation of the ‘unfiltered_html’ function and the ‘stripScripts’ method, which is important to sanitize $parameters and mitigate potential attacks.
Utilizing the ‘unfiltered_html’ feature, the patch ensures that only authenticated users with the required capabilities can submit unfiltered HTML content. This prevents the introduction of malicious scripts and greatly reduces the risk of cross-site scripting (XSS) attacks. The ‘stripScripts’ method further enhances the sanitization process by removing or invalidating JavaScript code embedded within $parameters.
Overall, this comprehensive approach to cleanup ensures that the $parameters variable is safe to use throughout your codebase, minimizing the potential for security vulnerabilities and increasing the overall security of your program.
Figure 4. A depiction of a patch.
conclusion
In this blog post, we investigated a vulnerability found in the Bookly plugin that could allow an authenticated attacker to compromise a user’s device by injecting a harmful script. Thankfully, this vulnerability has been patched in version 21.8. We recommend that WordPress site owners immediately update their installations with the latest plugin versions, which are essential to mitigating potential attacks. Applying updates and patches in a timely manner is critical to staying safe online. Also, be careful when granting the ‘unfiltered_html’ capability to user roles, consider the potential security implications of this capability, and only assign it to trusted individuals who truly need it.
All SEQRITE and Quick Heal customers are protected from exploits targeting this vulnerability with the following signature:
- HTTP/CVE-2023-1159!VK.47550
- HTTP/CVE-2023-1159!VK.47551
- HTTP/CVE-2023-1159!VK.47552
co-author:
Anjali Rajkumar Laut