CVE-2023-6987
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS) attacks via the 'sql-column' parameter in the String Locator WordPress plugin. Attackers can inject malicious scripts that execute when victims click specially crafted links, potentially stealing session cookies or performing actions as the user. Only WordPress sites with WP_DEBUG enabled and using vulnerable plugin versions are affected.
💻 Affected Systems
- WordPress String Locator Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access to WordPress, install backdoors, deface websites, or exfiltrate sensitive data.
Likely Case
Attackers steal user session cookies to hijack accounts, perform phishing attacks, or redirect users to malicious sites.
If Mitigated
With WP_DEBUG disabled (default), the vulnerability cannot be exploited, resulting in no impact.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links. The vulnerability details and proof-of-concept are publicly available in the patch commit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.6
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3139143/string-locator/tags/2.6.6/includes/Extension/SQL/views/editor/sql.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'String Locator' and click 'Update Now' if available. 4. Alternatively, download version 2.6.6 from WordPress.org and manually replace the plugin files.
🔧 Temporary Workarounds
Disable WP_DEBUG
allPrevents exploitation by disabling the debug mode requirement.
Edit wp-config.php and set: define('WP_DEBUG', false);
Disable String Locator Plugin
linuxTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate string-locator
🧯 If You Can't Patch
- Disable WP_DEBUG in production environments immediately.
- Implement web application firewall (WAF) rules to block XSS payloads targeting the sql-column parameter.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → String Locator version. If version is 2.6.5 or lower, the site is vulnerable if WP_DEBUG is enabled.Check Version:
wp plugin get string-locator --field=versionVerify Fix Applied:
Verify String Locator plugin is updated to version 2.6.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'sql-column' parameter with script tags or JavaScript payloads in WordPress access logs.
- Unusual GET requests to String Locator plugin endpoints with encoded payloads.
Network Indicators:
- Incoming requests with XSS payloads in query parameters targeting the vulnerable endpoint.
SIEM Query:
source="wordpress_access.log" AND "sql-column" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")