The Wordfence Threat Intelligence team discovered a stored Cross-Site Scripting (XSS) vulnerability in the popular PowerPress plugin by Blubrry on April 5, 2023. The plugin is currently in use on over 50,000 WordPress websites. The vulnerability allows individuals with contributor-level or higher permissions to insert malicious web scripts into pages via the plugin's shortcode. The wordfence team immediately initiated the responsible disclosure process.

Blubrry was contacted by Wordfence on April 6, 2023, and quickly responded. The developer was provided with complete disclosure details, and as a result, a patch was released on April 10, 2023.

We urge all users to update their sites immediately with the latest patched version of PowerPress, which is version 10.0.4 at the time of this writing, ASAP.

PowerPress Plugin Vulnerability Overview

Title: PowerPress <= 10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Plugin: PowerPress
Plugin Slug: powerpress
Affected Versions: <= 10.0
CVE ID: CVE-2023-1917
CVSS Severity Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Researcher: Alex Thomas
Fully Patched Version: 10.0.2

Technical Analysis

PowerPress is a WordPress plugin that enables users to publish and manage podcasts. The plugin includes a shortcode ([powerpress]) that can be used to display the PowerPress player on a WordPress page. However, the shortcode functionality of the plugin was implemented insecurely, which allows for arbitrary web scripts to be injected into these pages. Upon closer inspection, it was discovered that the 'powerpress_shortcode_handler' function did not properly sanitize user-supplied input, and several functions that use the shortcode attributes for various podcast player options did not sufficiently escape output.

The powerpress_shortcode_handler function

The powerpress_generate_embed function creates an iframe using unescaped shortcode attributes.

Threat actors can exploit stored XSS attacks by injecting a script that executes every time a user accesses the compromised page. This creates opportunities for stealing sensitive information, altering site content, or redirecting users to malicious websites.

Timeline

April 5, 2023 – Upon discovering the stored XSS vulnerability in PowerPress, the Wordfence Threat Intelligence team responsibly disclosed the issue.
April 6, 2023 – Wordfence team contacted the development team at Blubrry and provided them with full disclosure details.
April 7, 2023 – Upon receiving the report, the vendor acknowledges the issue and promptly starts working on a fix..
April 10, 2023 – The fully patched version is released, Version 10.0.1.
April 11, 2023 – Wordfence confirms the fix addresses the vulnerability.
April 14, 2023 – Blubrry releases an additional patch (version 10.0.2) to address a workaround

Conclusion

Our blog post outlines a stored XSS vulnerability present in the PowerPress plugin affecting versions 10.0 and prior, which permits authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages. These scripts execute when an affected page is accessed. Wordfence team have addressed this vulnerability completely in version 10.0.2 of the plugin.

It is recommended that WordPress users ensure their sites are updated to the latest patched version of PowerPress.

Note: Always have a backup of your website to avoid your website content getting wiped out.

Source of this content: Wordfence