CVE-2018-5363

Vulnerability

The WPGlobus plugin version 1.9.6 for WordPress contains multiple stored cross-site scripting (XSS) vulnerabilities. The plugin fails to sanitize user input in several parameters when saving settings via wp-admin/options.php. Specifically, parameters such as wpglobus_option[enabled_languages][en], wpglobus_option[more_languages], wpglobus_option[selector_wp_list_pages][show_selector], wpglobus_option[post_type][post], wpglobus_option[post_type][page], and wpglobus_option[browser_redirect][redirect_by_language] allow injection of arbitrary HTML and JavaScript [1]. The vulnerability is triggered when an administrator updates the plugin settings.

Exploitation

An attacker must trick a logged-in WordPress administrator into visiting a malicious page or submitting a crafted form while the admin has an active session. The plugin lacks CSRF protection and nonce verification [1], enabling a cross-site request forgery (CSRF) attack. The attacker can create a form that submits unsanitized data to options.php, which then stores the malicious payload. When the admin saves the settings, the injected script executes in the context of the admin's browser.

Impact

Successful exploitation results in stored cross-site scripting (XSS) [1]. An attacker can execute arbitrary JavaScript in the admin's browser, potentially leading to session hijacking, defacement, or further compromise of the WordPress installation. The attack requires admin-level interaction (saving settings) but does not require any special privileges beyond the CSRF trick.

Mitigation

The vendor has not released a patch as of the publication date (2018-01-12) [1]. Users should upgrade to a later version if available; otherwise, restrict access to wp-admin/options.php or implement additional input validation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.