CVE-2024-2189 – Social Icons Widget & Block – Stored XSS to JS backdoor creation – POC

A critical security vulnerability, CVE-2024-2189, has been identified in the Social Icons Widget & Block WordPress plugin, which boasts over 100k installations. This vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVE	CVE-2024-2189
Plugin	Social Icons Widget & Block < 4.2.18
Critical	High
All Time	2 854 260
Active installations	100 000+
Publicly Published	April 30, 2024
Last Updated	April 30, 2024
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2189 https://wpscan.com/vulnerability/b8661fbe-78b9-4d29-90bf-5b68af468eb6/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

Discovery of the Vulnerability

During routine security assessments, researchers discovered a flaw in the Social Icons Widget & Block plugin that allows attackers to execute malicious JavaScript code on behalf of an editor. This vulnerability enables threat actors to create a backdoor for account takeover, posing a significant risk to WordPress websites utilizing the plugin.

Understanding of Stored XSS attack’s

Stored XSS attacks occur when malicious scripts are injected into a web application and executed within the context of another user’s session. In WordPress, plugins like Social Icons Widget & Block are susceptible to such attacks if they fail to properly sanitize user inputs. Real-world examples of Stored XSS vulnerabilities highlight the severity of these issues, as they can lead to unauthorized access, data theft, and website defacement.

Exploiting the Stored XSS Vulnerability

By exploiting the CVE-2024-2189 vulnerability, attackers can inject malicious script payloads into specific fields of the Social Icons Widget & Block plugin, such as the “color_picker_fields” field. When unsuspecting users interact with these elements, the injected JavaScript code gets executed, facilitating account takeover and compromising website security.

POC:

When creating a new widget, insert the following payload in the “color_picker_fields” field – 123″ onmouseover=’alert(/XSS/)’ (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The CVE-2024-2189 vulnerability poses a significant risk to WordPress websites utilizing the Social Icons Widget & Block plugin. Attackers could leverage this flaw to execute various malicious activities, including creating JavaScript backdoors, redirecting users to malicious websites, or stealing sensitive user information. In real-world scenarios, such attacks could result in severe consequences, including reputation damage and financial losses.

Recommendations for Improved Security

Website administrators and WordPress users are strongly advised to update the Social Icons Widget & Block plugin to the latest patched version immediately. Additionally, developers should prioritize implementing robust input validation and output sanitization mechanisms within their plugins to mitigate the risk of XSS vulnerabilities. Regular security audits and proactive monitoring can also help identify and address potential security issues before they are exploited by malicious actors.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2189, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.