CVE-2018-5365

Vulnerability

The WPGlobus plugin version 1.9.6 for WordPress contains multiple stored cross-site scripting (XSS) vulnerabilities. The plugin fails to properly sanitize user input when saving settings via the wpglobus_option parameters, including selector_wp_list_pages[show_selector], enabled_languages, more_languages, post_type[post], post_type[page], and browser_redirect[redirect_by_language]. The vulnerable code path is reachable through the WordPress admin settings page at wp-admin/options.php [1].

Exploitation

An attacker requires administrative access to the WordPress site to trigger the stored XSS, as the vulnerable parameters are part of the plugin settings. However, combined with a CSRF flaw (no nonce or CSRF token protection), an attacker can trick an authenticated admin into visiting a crafted page that submits malicious data via a POST request. The JavaScript payload is stored and executed in the admin's browser upon page load, leading to persistent XSS [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can lead to privilege escalation (e.g., creating new admin users), data theft, or defacement. The stored XSS persists until explicitly removed [1].

Mitigation

The affected version is 1.9.6; no patched version has been identified as of the publication date (2018-01-12). The plugin may be discontinued or unsupported. As a workaround, administrators should verify input sanitization or disable the plugin. There is no evidence of inclusion in CISA's Known Exploited Vulnerabilities list [1].