CVE-2023-0367 in Pricing Tables for WPBakery Page Builder Plugin
Summary
by MITRE • 04/17/2023
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/05/2023
The vulnerability identified as CVE-2023-0367 affects the Pricing Tables For WPBakery Page Builder plugin for WordPress, specifically versions prior to 3.0. This issue represents a critical security flaw that undermines the integrity of web applications built on WordPress platforms. The vulnerability stems from insufficient input validation and output escaping mechanisms within the plugin's shortcode implementation, creating an avenue for malicious actors to inject persistent malicious scripts into web pages. The affected plugin, formerly known as Visual Composer, is widely used for creating page layouts and content structures within WordPress environments, making this vulnerability particularly concerning given the plugin's prevalence in the WordPress ecosystem.
The technical flaw manifests in the plugin's handling of shortcode attributes where user-provided input is not adequately sanitized before being rendered back into the HTML output of WordPress pages. This vulnerability specifically impacts users with the contributor role and above, which is significant because contributors typically have the ability to create and publish content, making them potential vectors for attack within WordPress installations. The issue falls under the category of stored cross-site scripting attacks, where malicious scripts are permanently stored on the server and executed whenever users access the affected pages. This differs from reflected XSS attacks as the malicious code persists and affects multiple users rather than being temporary and request-specific. The vulnerability directly maps to CWE-79, which describes Cross-Site Scripting flaws, and more specifically to CWE-80, which addresses improper neutralization of script in a context-appropriate manner.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. Attackers with contributor-level access can craft malicious shortcodes containing JavaScript payloads that will execute in the browsers of other users who view the affected pages. This creates a persistent threat vector that can compromise user sessions and potentially lead to full administrative control of affected WordPress installations. The vulnerability is particularly dangerous because it leverages legitimate plugin functionality to deliver malicious payloads, making detection more challenging for security monitoring systems. The attack surface is broadened by the fact that these shortcodes can be embedded in various content types including posts, pages, and custom post types, increasing the potential exposure.
Mitigation strategies for CVE-2023-0367 should begin with immediate patching of the affected plugin to version 3.0 or later, which contains the necessary security fixes. Administrators should implement strict role-based access controls to limit contributor privileges to the minimum required for their tasks, particularly restricting the ability to insert custom shortcodes or HTML content. Input validation should be enhanced at multiple levels including server-side sanitization of all user-provided content and output escaping of all dynamic content before rendering. Network-level monitoring should be implemented to detect suspicious shortcode patterns and unusual content modifications. Organizations should also consider implementing Content Security Policies to limit script execution and establish proper security auditing procedures for plugin installations and updates. The vulnerability demonstrates the importance of following secure coding practices such as those outlined in the OWASP Secure Coding Practices and aligns with ATT&CK technique T1566, which covers credential harvesting through social engineering and malicious content injection. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other plugins and themes, as this represents a common pattern in WordPress plugin security flaws where insufficient input validation leads to significant exploitation opportunities.