CVE-2022-1267 in BMI BMR Calculator Plugin
Summary
by MITRE • 05/16/2022
The BMI BMR Calculator WordPress plugin through 1.3 does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/18/2022
The BMI BMR Calculator WordPress plugin version 1.3 and earlier contains a critical reflected cross-site scripting vulnerability that stems from inadequate input sanitization and output escaping mechanisms. This vulnerability exists within the plugin's handling of POST data, where user-supplied parameters are directly incorporated into HTTP responses without proper validation or encoding. The flaw allows attackers to inject malicious scripts into web pages viewed by other users, creating a persistent security risk that can be exploited across multiple sessions and user interactions.
The technical implementation of this vulnerability occurs when the plugin processes user input through POST requests and fails to apply sanitization routines before rendering the data in the HTTP response. This creates an environment where malicious payloads can be executed in the context of a victim's browser, enabling attackers to perform actions such as stealing session cookies, defacing web pages, or redirecting users to malicious sites. The vulnerability specifically affects the plugin's handling of arbitrary POST data that gets reflected back to users without proper HTML escaping or context-appropriate encoding. This issue aligns with CWE-79 which defines cross-site scripting as a common weakness where web applications fail to validate or escape user-controllable data before incorporating it into dynamically generated content.
The operational impact of this reflected XSS vulnerability extends beyond simple script execution, as it can be leveraged for more sophisticated attacks within the WordPress environment. An attacker could craft malicious POST requests that, when processed by the vulnerable plugin, would execute scripts in the browser context of authenticated users. This could potentially lead to privilege escalation, data theft, or complete compromise of user accounts if administrators or other users interact with the malicious content. The vulnerability affects all users who interact with the plugin's functionality, making it particularly dangerous in multi-user environments where administrators may be exposed to malicious payloads through normal plugin usage patterns. According to ATT&CK framework, this vulnerability maps to T1566.001 which covers initial access through malicious web content, and T1059.007 which involves command and scripting interpreter through web shell or script injection.
Mitigation strategies for this vulnerability should focus on immediate patching of the plugin to version 1.4 or later, which contains the necessary sanitization and escaping mechanisms. Administrators should also implement comprehensive input validation and output encoding practices throughout their WordPress installations, ensuring that all user-supplied data is properly sanitized before being processed or displayed. Additional protective measures include implementing content security policies that restrict script execution, monitoring for suspicious POST data patterns, and conducting regular security audits of WordPress plugins and themes. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly within CMS platforms where plugins can introduce security weaknesses through insufficient data sanitization practices.