CVE-2023-49158

Vulnerability

Analysis

The LadiApp plugin for WordPress (versions through 4.4) contains a Stored Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of user input during web page generation. The root cause is a broken access control issue, where functions lack proper authorization, authentication, or nonce token checks [1]. This allows unprivileged users to perform actions that should require higher privileges, leading to the injection of malicious scripts.

Exploitation

An attacker with low-privileged access (e.g., a subscriber or contributor) can exploit this vulnerability by injecting malicious JavaScript code into fields that are later rendered on pages viewed by other users. The attack requires user interaction from a privileged user, such as visiting a crafted page or clicking a malicious link [1]. Due to the high danger level and mass-exploit potential, attackers are expected to use this vulnerability in campaigns targeting thousands of websites.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of a victim's browser. This can lead to data theft, session hijacking, defacement, or redirection to malicious sites. The vulnerability affects all sites using LadiApp plugin versions up to and including 4.4.

Mitigation

Users should immediately update the LadiApp plugin to a patched version. If an update is not available, apply a virtual mitigation rule from Patchstack until an official fix can be tested and safely deployed [1]. Contact your hosting provider or web developer for assistance if needed.