CVE-2018-5366

Vulnerability

WPGlobus plugin version 1.9.6 for WordPress contains multiple stored cross-site scripting (XSS) vulnerabilities. The parameter wpglobus_option[more_languages] in wp-admin/options.php does not sanitize user input, allowing arbitrary JavaScript injection [1]. Other parameters such as wpglobus_option[enabled_languages][en], wpglobus_option[selector_wp_list_pages][show_selector], wpglobus_option[post_type][post], wpglobus_option[post_type][page], and wpglobus_option[browser_redirect][redirect_by_language] are also vulnerable [1].

Exploitation

An attacker can exploit this vulnerability by combining it with a CSRF attack, as the plugin lacks CSRF protection and nonce validation on the options page [1]. If an administrator visits a malicious page controlled by the attacker, the attacker can forge a POST request to wp-admin/options.php with crafted XSS payloads in the vulnerable parameters, achieving stored XSS [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard, potentially leading to session hijacking, privilege escalation, or defacement [1]. The attack does not require authentication but relies on tricking an admin user [1].

Mitigation

No official fix has been released for CVE-2018-5366 as of the publication date [1]. Users should upgrade to a patched version if available, otherwise apply input validation and output escaping manually, or disable the plugin [1]. The plugin may also be removed from the WordPress repository if not maintained [1].