Optimole WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Optimole WordPress plugin, specifically in versions through 4.2.2. The issue arises from inadequate input sanitization and output escaping of the 's' parameter (srcset descriptor) in the unauthenticated '/wp-json/optimole/v1/optimizations' REST endpoint. Although the endpoint validates requests with an HMAC signature and timestamp, these values are exposed in the frontend HTML, accessible to all visitors. The plugin's use of 'sanitize_text_field()' on the descriptor value strips HTML tags but fails to escape double quotes. Consequently, malicious scripts can be injected into the srcset attribute and executed when the page is accessed.

Impact

Exploitation of this vulnerability allows for the injection of arbitrary web scripts, which are executed when a user accesses the affected page.

Reproduction

To reproduce this vulnerability, send a POST request to the '/wp-json/optimole/v1/optimizations' endpoint with a crafted 's' parameter that includes a script payload. The HMAC signature and timestamp must be included to validate the request, but these values can be exposed in the frontend HTML. Once the request is processed, the injected script will be executed when the page is accessed.

Remediation

Users are advised to update the Optimole WordPress plugin to version 4.2.3 or later.