CVE-2019-16289

Vulnerability

The insert-php (Woody ad snippets) plugin for WordPress versions before 2.2.8 contains a stored cross-site scripting (XSS) vulnerability in the winp_item parameter. An authenticated user with access to the snippet editor can inject arbitrary JavaScript or HTML into this parameter, which is then stored and executed when the malicious snippet is rendered in the admin interface or displayed on the frontend [1].

Exploitation

An attacker must have WordPress user credentials with at least the capability to create or edit Woody code snippets (typically an Administrator or Editor). The attacker inserts a crafted payload into the winp_item field when creating or updating a snippet. No additional user interaction is required beyond the victim viewing the affected page or the snippet being executed [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser session. This can result in theft of session cookies, defacement of the admin area, or redirection to malicious sites. The XSS is stored, meaning the payload persists and can affect any user who loads the compromised snippet [1].

Mitigation

Update to version 2.2.8 or later. The fix was released on 2019-09-13. No workaround is provided in the available references. Users unable to update should restrict snippet editing privileges to trusted administrators only [1].