Cross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the tweetscribe_username parameter in a save action in the tweetscribe.php page to wp-admin/options-general.php.
Attackers can exploit a cross-site request forgery (CSRF) vulnerability in the TweetScribe WordPress plugin to hijack administrator accounts and inject malicious JavaScript code, leading to complete site compromise. This allows for unauthorized modification of website content and potential redirection of users to phishing sites or the installation of malware. The vulnerability is triggered by manipulating the tweetscribe_username parameter, enabling attackers to execute cross-site scripting (XSS) attacks.
Step 1: Craft Malicious Link: The attacker crafts a malicious URL or HTML snippet containing a POST request to wp-admin/options-general.php. This request includes the tweetscribe_username parameter, which is crafted to contain a malicious JavaScript payload (XSS). This malicious link is designed to be clicked or loaded by the administrator.
Step 2: Social Engineering (or other delivery method): The attacker uses social engineering techniques (e.g., phishing emails, malicious advertisements) to trick an authenticated WordPress administrator into clicking the malicious link or visiting a webpage containing the malicious HTML.
Step 3: Request Execution: When the administrator's browser loads the malicious link, the POST request is automatically submitted to the WordPress site. Because the administrator is already authenticated, the request is executed with their privileges.
Step 4: XSS Payload Injection: The malicious JavaScript payload embedded in the tweetscribe_username parameter is saved to the database. The specific location where this username is used will determine when the XSS payload is executed.
Step 5: XSS Execution: When the administrator views a page where the injected username is displayed or used (e.g., in the plugin settings, user profile, or admin dashboard), the malicious JavaScript payload executes in their browser.
Step 6: Privilege Escalation/Site Compromise: The executed JavaScript can perform various malicious actions, such as stealing the administrator's session cookies, creating new administrator accounts, modifying website content, or redirecting users to phishing sites. This leads to complete site compromise.
The root cause lies in the TweetScribe plugin's failure to properly validate and sanitize user input, specifically the tweetscribe_username parameter, when processing requests in tweetscribe.php via the wp-admin/options-general.php page. The plugin lacks CSRF protection, allowing attackers to craft malicious requests that are executed with the privileges of an authenticated administrator. By injecting JavaScript code into the tweetscribe_username field, the attacker can then trigger XSS when the username is displayed or used elsewhere within the WordPress admin interface. This allows for the execution of arbitrary code within the context of the administrator's session. The absence of CSRF tokens and insufficient input validation are the primary flaws.