CVE-2018-5367

Vulnerability

The WPGlobus plugin version 1.9.6 for WordPress contains a stored cross-site scripting (XSS) vulnerability in the wpglobus_option[post_type][post] parameter, which is processed by wp-admin/options.php. The plugin fails to properly sanitize or escape user-supplied input before storing it in the database, allowing arbitrary HTML and JavaScript to be injected. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to wp-admin/options.php with the malicious payload in the wpglobus_option[post_type][post] parameter. The attack requires a user with administrator privileges to submit the form (e.g., via the WPGlobus settings page). The lack of a CSRF nonce in the settings form [1] means the attack can be chained with cross-site request forgery: an attacker can trick an authenticated admin into unknowingly submitting the malicious payload via a crafted HTML page, achieving stored XSS on the admin panel. [1]

Impact

Successful exploitation results in stored XSS within the WordPress admin interface. An attacker can execute arbitrary JavaScript in the context of the logged-in administrator's session. This could lead to privilege escalation, sensitive data theft, or full site compromise by injecting malicious scripts that run when the targeted admin or other users view the affected page. [1]

Mitigation

As of the publication date (2018-01-12), no official patch or fixed version has been released by the vendor. The recommended mitigation is to disable the WPGlobus plugin until an update is available. Alternatively, implement a web application firewall (WAF) rule to block malicious input patterns targeting the vulnerable parameter. [1]