CVE-2023-0892 in BizLibrary Plugin
Summary
by MITRE • 05/15/2023
The BizLibrary WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/26/2025
The vulnerability identified as CVE-2023-0892 affects the BizLibrary WordPress plugin version 1.1 and earlier, presenting a critical security risk through stored cross-site scripting flaws. This issue specifically targets high-privilege users such as administrators who possess the capability to manipulate plugin settings despite WordPress multisite configurations that typically restrict unfiltered_html capabilities. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's administrative interface, creating a persistent XSS attack vector that can be exploited even when standard security measures are in place.
The technical flaw manifests in the plugin's failure to properly sanitize user-supplied data before storing it in the WordPress database and subsequently rendering it in administrative contexts. When administrators configure plugin settings through the WordPress admin panel, the input values are not adequately validated or escaped, allowing malicious scripts to be permanently stored within the system. This stored data becomes executable when other administrators or privileged users access the plugin settings, creating a classic persistent XSS scenario. The vulnerability is particularly concerning because it operates even when WordPress security restrictions are active, such as in multisite environments where the unfiltered_html capability has been explicitly denied to prevent unrestricted HTML injection.
From an operational perspective, this vulnerability poses significant risks to WordPress multisite installations where administrative privileges are distributed across multiple users. Attackers with access to plugin settings can craft malicious scripts that execute in the context of other administrators' browsers, potentially leading to session hijacking, privilege escalation, or data exfiltration. The stored nature of the vulnerability means that the malicious payload persists even after the initial exploitation attempt, allowing attackers to maintain access and continue executing malicious code without requiring repeated exploitation. This characteristic makes the vulnerability particularly dangerous in environments where multiple administrators interact with the same plugin settings.
The security implications of CVE-2023-0892 align with CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities, and can be mapped to ATT&CK technique T1059.001 for command and scripting interpreter. The vulnerability demonstrates how plugin developers can inadvertently create security weaknesses even when core WordPress security features are properly configured. Organizations should immediately update to the latest version of the BizLibrary plugin where this vulnerability has been addressed, and conduct thorough security reviews of all installed plugins to identify similar sanitization issues. Additionally, implementing proper input validation and output escaping mechanisms, as recommended by the OWASP Top Ten Project, would mitigate the risk of similar vulnerabilities in other custom or third-party WordPress components. Security monitoring should include detection of suspicious plugin configuration changes and unusual administrative activities that might indicate exploitation attempts.