CVE-2018-5362

Vulnerability

The WPGlobus plugin version 1.9.6 for WordPress contains a stored cross-site scripting (XSS) vulnerability in the wpglobus_option[post_type][page] parameter when saving settings via wp-admin/options.php. Input is not properly sanitized, allowing injection of arbitrary HTML and JavaScript. Multiple other parameters are also affected, as detailed in the advisory [1].

Exploitation

An attacker can craft a malicious HTML form that exploits a missing CSRF nonce in the options save endpoint. By tricking an authenticated WordPress administrator into submitting this form, the attacker can inject arbitrary script code into plugin settings. The payload is then stored and executed when the administrator views the settings page or when other pages render the affected options [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the WordPress admin panel. This can lead to session hijacking, privilege escalation, or the unauthorized modification of site content. The attack requires social engineering to trigger the CSRF submission [1].

Mitigation

As of the publication date, no patched version of WPGlobus has been released. The vendor should be contacted for updates. In the absence of a fix, administrators should avoid using the plugin or implement a web application firewall to block malicious input. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [2].