Featured Image from URL Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text – CVE-2023-6561 | WordPress Plugin Vulnerability Report
Plugin Name: Featured Image from URL
Key Information:
- Software Type: Plugin
- Software Slug: featured-image-from-url
- Software Status: Active
- Software Author: marceljm
- Software Downloads: 4,535,007
- Active Installs: 90,000
- Last Updated: December 14, 2023
- Patched Versions: NA
- Affected Versions: <= 4.5.3
Vulnerability Details:
- Name: Featured Image from URL (FIFU) <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-6561
- CVSS Score: 6.4 (Medium)
- Publicly Published: December 14, 2023
- Researcher: Webbernaut
- Description: The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Featured Image from URL for WordPress has a vulnerability in versions up to and including 4.5.3 that allows for authenticated stored cross-site scripting via insufficient input sanitization of the featured image's alt text. This vulnerability has not yet been patched.
Detailed Overview:
The researcher Webbernaut disclosed that the popular Featured Image from URL plugin contains a vulnerability allowing authenticated users with contributor-level access or higher to store malicious scripts within the alt text of uploaded featured images. Due to insufficient sanitization of this field, stored cross-site scripting becomes possible. When pages containing these injected featured images are viewed, the scripts will then execute for admin users and visitors to the site. This could lead to session hijacking, site defacement, or other attacks depending on the injected payload. The vulnerability impacts all versions up to and including the most recent 4.5.3.
Advice for Users:
- Immediate Action: There is not yet a patched version available. Users should consider disabling the plugin or restricting contributor permissions as a temporary mitigation.
- Check for Signs of Vulnerability: Review recent featured image uploads and inspect their alt text for malicious scripts. Also check site files for unauthorized code injections.
- Alternate Plugins: Those requiring featured image functionality may want to consider alternatives like Add Featured Image from URL or Enable Media Replace.
- Stay Updated: Check https://wordpress.org/plugins/featured-image-from-url/#developers for updates to the plugin addressing this vulnerability.
Conclusion:
This stored XSS in a popular plugin exposes sites to risk until a patch is released. Users should take precautions by restricting permissions and monitoring uploads. The response by developers in addressing this vulnerability will be critical given the plugin's extensive install base.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/featured-image-from-url
Detailed Report:
Keeping your WordPress website secure should be a top priority - outdated plugins and themes open the door for cybercriminals to exploit vulnerabilities and compromise your site. Unfortunately, the popular Featured Image from URL plugin contains a stored cross-site scripting vulnerability in versions up to and including 4.5.3 that threatens over 90,000 active installs.
This plugin allows easy remote fetching of images to use as featured images in WordPress. It has over 4.5 million downloads and 90,000 active installs, indicating wide usage especially among small business sites like yours.
The vulnerability allows users with contributor access or higher to inject malicious scripts into featured image alt text that will execute when pages containing those images are viewed. That exposes both admin users and site visitors to potential attacks like session hijacking or site defacement.
Specifically, the lack of input sanitization and output escaping enables persistent cross-site scripting in affected versions. When unsanitized alt text for featured images is stored in the database, scripts embedded there will trigger whenever those images appear on your pages. This grants attackers a foothold to carry out any number of damaging attacks by compromising admin accounts in particular.
The developer has yet to issue a patch, so site owners have to take matters into their own hands for now. You should immediately restrict contributor permissions on your site to limit exposure. Carefully comb through recently uploaded featured images and inspect alt text for malicious snippets. Also check files for unauthorized code injections just in case.
Considering switching featured image plugins may be wise until this one addresses the vulnerability, even if alternatives don't offer quite the same convenience. Stay updated on releases addressing this issue.
This is unfortunately not the first vulnerability uncovered in the plugin, with three others emerging since late 2019. Their quick resolution highlights why staying on top of updates is so critical - fixes for major security flaws often arrive without fanfare.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.