CVE-2018-18373 : Security Advisory and Response

A security issue has been identified in version 1.2.3 of the "Support Board - Chat And Help Desk" plugin for WordPress, leading to a Stored Cross-Site Scripting (XSS) vulnerability.

Understanding CVE-2018-18373

This CVE involves a vulnerability in the file upload areas of the Chat and Help Desk sections of the plugin.

What is CVE-2018-18373?

The vulnerability allows for Stored Cross-Site Scripting (XSS) attacks through the "msg" parameter in the "/wp-admin/admin-ajax.php" file within the "sb_ajax_add_message" action.

The Impact of CVE-2018-18373

The vulnerability could be exploited by attackers to execute malicious scripts in the context of the user's browser, potentially leading to unauthorized actions or data theft.

Technical Details of CVE-2018-18373

The technical aspects of this CVE are as follows:

Vulnerability Description

A Stored Cross-Site Scripting (XSS) vulnerability in the file upload areas of the Chat and Help Desk sections of the plugin.

Affected Systems and Versions

Product: "Support Board - Chat And Help Desk" plugin for WordPress
Vendor: Schiocco
Version: 1.2.3

Exploitation Mechanism

The vulnerability can be exploited through the "msg" parameter in the "/wp-admin/admin-ajax.php" file within the "sb_ajax_add_message" action.

Mitigation and Prevention

It is crucial to take immediate steps to address and prevent exploitation of this vulnerability:

Immediate Steps to Take

Update the plugin to the latest version that contains a patch for the XSS vulnerability.
Consider disabling file uploads in the affected plugin areas until a patch is applied.

Long-Term Security Practices

Regularly monitor security advisories and updates for the plugin.
Implement web application firewalls and security plugins to enhance protection against XSS attacks.

Patching and Updates

Apply patches and updates provided by the plugin developer promptly to mitigate the vulnerability and enhance security measures.