WordPress Plugin Vulnerability Report – Ultimate Dashboard – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings – CVE-2023-4726
Plugin Name: Ultimate Dashboard
Key Information:
- Software Type: Plugin
- Software Slug: ultimate-dashboard
- Software Status: Active
- Software Author: davidvongries
- Software Downloads: 539,497
- Active Installs: 60,000
- Last Updated: November 13, 2023
- Patched Versions: 3.7.8
- Affected Versions: <= 3.7.7
Vulnerability Details:
- Name: Ultimate Dashboard <= 3.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
- Title: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-4726
- CVSS Score: 4.4 (Medium)
- Publicly Published: November 13, 2023
- Researcher: Marco Wotschka
- Description: The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.7. due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Summary:
The Ultimate Dashboard for WordPress has a vulnerability in versions up to and including 3.7.7 that allows authenticated users with admin access to inject malicious scripts. This vulnerability has been patched in version 3.7.8.
Detailed Overview:
The Ultimate Dashboard plugin up to version 3.7.7 has an input validation vulnerability where insufficient sanitization of data allows authenticated users with admin access to store cross-site scripts (XSS) in admin settings. This was discovered by researcher Marco Wotschka and assigned CVE-2023-4726 with a CVSS score of 4.4 (Medium). The vulnerability allows malicious scripts to be injected into admin pages and executed when other admin users load affected pages. This presents a risk of session hijacking, privilege escalation, and other attacks. Users are advised to update to version 3.7.8 or newer which properly sanitizes input data to prevent XSS attacks.
Advice for Users:
- Immediate Action: Update to version 3.7.8 or newer to patch this vulnerability.
- Check for Signs of Vulnerability: Review Ultimate Dashboard admin settings and all admin pages for unauthorized code injections or other malicious content.
- Alternate Plugins: Consider alternative dashboard plugins like Admin Columns or Admin Menu Editor for enhanced security.
- Stay Updated: Ensure Ultimate Dashboard and all other plugins are updated promptly to avoid vulnerabilities.
Conclusion:
The quick response by the developers to patch this stored XSS vulnerability demonstrates the need for prompt updates. Users should update to version 3.7.8 or newer to ensure their WordPress sites are not vulnerable.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ultimate-dashboard
Detailed Report:
Keeping your WordPress website secure requires constant vigilance - new threats emerge daily. One such threat is a recently disclosed vulnerability in the popular Ultimate Dashboard plugin that allows attackers to inject malicious code into your site. If you use this plugin, your site could be at risk until you update.
In this post, we’ll break down this new vulnerability, explain how it works, and most importantly, what you need to do to protect your site. Vulnerabilities like this underline the importance of prompt updates for all plugins and themes. Outdated software is the easiest route for attackers to compromise your site.
About the Plugin
Ultimate Dashboard is a popular WordPress plugin with over 500,000 downloads. It provides an enhanced dashboard experience for managing WordPress sites. This plugin is actively maintained and has over 60,000 active installs.
The Vulnerability
Researcher Marco Wotschka recently disclosed a vulnerability in Ultimate Dashboard versions up to and including 3.7.7. This vulnerability allows authenticated users with admin access to inject malicious scripts into the plugin's settings pages. The vulnerability is tracked as CVE-2023-4726 and has a CVSS severity score of 4.4 out of 10.
Risks
This vulnerability allows attackers to potentially hijack admin sessions, escalate privileges, or conduct other malicious activities by injecting malicious scripts. These scripts would execute for any administrators accessing a compromised admin page.
Remediation
The good news is that the Ultimate Dashboard developers have already issued patch in version 3.7.8. To fix this vulnerability, simply update the plugin to the latest version. We recommend deleting any suspicious looking scripts that may have been injected before updating.
Previous Vulnerabilities
This is the 2nd vulnerability disclosed in Ultimate Dashboard since May 2023, underscoring the importance of prompt updates.
Conclusion
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.