CVE-2018-5364

Vulnerability

The WPGlobus plugin version 1.9.6 for WordPress contains a stored cross-site scripting (XSS) vulnerability in the wpglobus_option[browser_redirect][redirect_by_language] parameter when saving settings via wp-admin/options.php. The parameter is not properly sanitized, allowing injection of arbitrary HTML and JavaScript [1].

Exploitation

An attacker with administrative access or via cross-site request forgery (CSRF) since no nonce is used can inject malicious payloads. A crafted POST request to options.php with a payload in the wpglobus_option[browser_redirect][redirect_by_language] parameter stores the XSS, which executes when the settings page is viewed. The vulnerability requires that the attacker can trick an admin into submitting a form or has direct admin access [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard, leading to potential session hijacking, defacement, or further compromise [1].

Mitigation

As of the publication date (2018-01-12), no patched version has been released. Users should consider disabling the plugin or implementing a web application firewall rule to filter malicious input. No official fix is available in the references [1].