Multiple Vulnerabilities Patched in Shield Security

Wordfence Threat Intelligence team began the responsible disclosure process for two vulnerabilities in Shield Security, a security plugin with over 50,000 installations. One of these vulnerabilities allowed unauthenticated attackers to inject malicious JavaScript into an administrator dashboard in some configurations, while another allowed authenticated attackers to spoof log entries into the same dashboard, which could also be used to exploit the first vulnerability in configurations where the unauthenticated technique was not viable.

The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the ‘User-Agent’ header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the ‘theme-plugin-file’ AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.

The Shield Security plugin includes a number of features, including an audit log that records certain types of suspicious activity, such as plugin and theme installation, modification, post deletion, and other types of activity that might impact the site. While most of these events require authentication or higher privileges in order to trigger, we found that certain events could be triggered by unauthenticated users. In particular, failed attempts to authenticate using application passwords, new user registrations, and spam activity are among the actions recorded for unauthenticated users.

The audit log records metadata about the client that performed the logged activity, including the client’s User-Agent, which can be accessed by clicking the “Meta” tag icon on an audit log entry. Unfortunately, the metadata was not escaped when it was output. While most of the metadata collected about a request has a very strict format and can only be spoofed to a limited extent, User-Agent strings are alphanumeric, and we were able to inject a script in an iframe in the User-Agent header that fired when an administrator viewed an event entry.

Source and more details:

Posted in Updates, Vulnerability.