Octavis CVE-2023-0983

by | May 11, 2023 | Cyber Security

Introduction

When asked about what sets Octavis apart, we always highlight our commitment to designing websites with security as a top priority. What exactly does that entail? Well, when we create a website for a client, it typically includes third-party code in form of plugins such as as calendars , booking systems or a live chat.

When we implemented a cost calculator, we meticulously considered all the potential vulnerabilities that could arise and thoroughly tested the plugin to ensure it doesn’t introduce vulnerabilities into our client’s systems. Within a day, we discovered a high-severity vulnerability.

Given that the plugin had several thousand active installs, it’s worth considering the potential consequences if this vulnerability had gone unaddressed. Specifically, we identified a Cross-site scripting (XSS) vulnerability due to the plugin’s inability to sanitise and escape user input before outputting it on the web application. This could lead to a stored cross-site scripting vulnerability that could be exploited by malicious actors targeting admin users who view submissions sent through the Email Quote Form. Ultimately, this could compromise the confidentiality and integrity of the information stored on the website.

Technical Details

1.      Unauthenticated stored Cross-site scripting (CVE-2023-0983):

The example below shows a proof of concept from the context of an anonymous internet user:

The user would be shown a form such as shown below in which they have to select the options they require in order to retrieve a customised quote:

screenshot proof of concept CVE
screenshot proof of concept CVE by octavis found XSS

Once the user reaches the last step of the form, they are prompted with several options, one being the “Email Quote” functionality which prompts the user to enter their details to receive the quote in a PDF format to their email.

proof of concept CVE stylish cost calculator
screenshot of quote form for stylish cost calculator

The user will submit their details as shown below including a HTML image tag with a JavaScript alert.

stylish cost calculator proof of concept CVE octavis
XSS proof of concept

Once a privileged user such as an Admin will check the submitted quotes in the WordPress dashboard, the JavaScript will execute in their browser as shown below:

proof of concept CVE
Final Proof of concept where XSS was found

Allowing an unauthorised user to inject malicious JavaScript code into the form of a WordPress website can pose several dangers. Here are some of the most significant risks:

  1. Website Defacement: Injecting malicious JavaScript code can enable the attacker to change the appearance of the website or deface it altogether. This could lead to a loss of credibility and trust among users, leading to a decline in traffic and revenue.
  2. Data Theft: Malicious JavaScript code can be used to steal sensitive data from the website and its users, such as login credentials, credit card information, and personal information. This information can then be used for identity theft, fraud, and other malicious purposes.
  3. Malware Delivery: Attackers can use malicious JavaScript to deliver malware to the website visitors’ devices. This can result in the installation of viruses, Trojans, and other forms of malicious software, compromising the security of the users’ devices.
  4. SEO Spamming: Attackers can inject links to spammy websites into the website’s content or footer, leading to SEO spamming. This can lead to a decline in search engine rankings and reputation.
  5. Server Compromise: Injecting malicious JavaScript code can also lead to the compromise of the entire server on which the WordPress website is hosted. This can enable the attacker to access all data and resources on the server, including other websites hosted on it.

Octavis would like to thank Designful (Stylish Cost Calculator) for responding to the responsible disclosure in a timely manner and for working with Octavis to mitigate the vulnerabilities.

Timeline

25th January 2023 | Details of the vulnerability present on the version 7.8.7 of the “Stylish Cost Calculator” plugin have been emailed to the vendor at support@stylishcostcalculator.com.

26th January 2023 | Response from the vendor acknowledging the vulnerability and stating the plugin is being reviewed.

2nd March 2023 | CVE number reserved and Octavis worked with the vendor on a publication date of this vulnerability.

20th March 2023 | CVE number published after the vulnerability had been fixed.

20th March 2023 | Octavis confirmed the vulnerability is no longer present on the updated version 7.9.0 of the “Stylish Cost Calculator” plugin by Designful (Stylish Cost Calculator).