CVE-2023-45065
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts via specially crafted URLs in the Mad Fish Digital Bulk NoIndex & NoFollow Toolkit WordPress plugin. When victims click these links, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. WordPress sites using plugin versions 1.42 or earlier are affected.
💻 Affected Systems
- Mad Fish Digital Bulk NoIndex & NoFollow Toolkit WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the WordPress site, install backdoors, deface the site, or exfiltrate sensitive data.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or display phishing content.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, the attack fails or has limited impact.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.43 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Bulk NoIndex & NoFollow Toolkit by Mad Fish Digital'. 4. Click 'Update Now' if available, or download version 1.43+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate bulk-noindex-nofollow-toolkit-by-mad-fish
Implement WAF Rules
allAdd web application firewall rules to block XSS payloads targeting the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Use browser security features like HttpOnly and Secure flags for cookies to limit session theft.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Bulk NoIndex & NoFollow Toolkit by Mad Fish Digital' version <= 1.42.Check Version:
wp plugin get bulk-noindex-nofollow-toolkit-by-mad-fish --field=versionVerify Fix Applied:
Confirm plugin version is 1.43 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests with script tags or JavaScript payloads in query parameters to WordPress admin or plugin endpoints.
- Multiple failed login attempts or session hijacking alerts following suspicious URL accesses.
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS payloads in URLs.
SIEM Query:
source="wordpress.log" AND ("bulk-noindex-nofollow" OR "mad-fish") AND ("<script>" OR "javascript:" OR "%3Cscript%3E")🔗 References
- https://patchstack.com/database/vulnerability/bulk-noindex-nofollow-toolkit-by-mad-fish/wordpress-bulk-noindex-nofollow-toolkit-plugin-1-42-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/bulk-noindex-nofollow-toolkit-by-mad-fish/wordpress-bulk-noindex-nofollow-toolkit-plugin-1-42-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
