CVE-2024-3939 – Ditty – Stored XSS to JS backdoor creation – POC

A critical security vulnerability CVE-2024-3939 was discovered in the WordPress plugin Ditty, which was downloaded by more than 40k users. This vulnerability exposes websites to the risk of attacks using stored cross-site scripting (XSS), which can potentially lead to account hijacking and violation of the integrity of the website. (if an attacker has previously hacked into an administrator or editor account, they can use the backdoor to restore access)

Main info:

CVE	CVE-2024-3939
Plugin	Ditty < 3.1.36
Critical	High
All Time	2 289 865
Active installations	40 000+
Publicly Published	May 6, 2024
Last Updated	May 6, 2024
Researcher	Artyom Krugov
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3939/ https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

Discovery of the Vulnerability

During testing of the Ditty plugin, security researchers identified a vulnerability in the control panel’s Add New tab > Add Default section. Fields such as Content, Link, Link Title, and Label were found to be vulnerable, enabling Stored XSS attacks by injecting malicious short code into new publications. This discovery raises serious concerns about the plugin’s security posture and its impact on WordPress sites.

Understanding of Stored XSS attack’s

Stored XSS, or Persistent XSS, poses a significant risk to WordPress sites by allowing attackers to inject malicious code that persists across sessions. Examples include injecting code into form fields or comment sections, which, when executed, can lead to account hijacking, data theft, or malware distribution. In the case of Ditty, attackers can exploit this vulnerability to create a backdoor, compromising the security of affected websites..

Exploiting the Stored XSS Vulnerability

Exploiting the Stored XSS vulnerability in Ditty involves inserting malicious code into vulnerable fields, such as Content, Link, Link Title, and Label. Attackers can craft payloads containing JavaScript code to steal user cookies, redirect users to malicious sites, or perform actions on compromised accounts. Despite filtering attempts by the plugin, attackers can bypass these measures by encoding HTML characters, enabling successful exploitation of the vulnerability.

POC:

it was possible to detect a vulnerability in the control panel of the Add New tab > Add Default. There are fields in the settings that are vulnerable: Content, Link, Link Title, Lable. Payload:

"><script></script><img src=x onerror=alert(Malicious payload)>

____

The exploitation of CVE-2024-3939 in Ditty poses severe risks to WordPress sites and their users. Attackers can leverage the vulnerability to launch convincing phishing attacks, compromising user accounts and website integrity. Additionally, the ability to create a backdoor through Stored XSS opens the door to further exploitation, including data exfiltration and malware distribution, leading to reputational damage and financial loss.

Recommendations for Improved Security

Website administrators and WordPress users are strongly advised to update the Ditty to the latest patched version immediately. Additionally, developers should prioritize implementing robust input validation and output sanitization mechanisms within their plugins to mitigate the risk of XSS vulnerabilities. Regular security audits and proactive monitoring can also help identify and address potential security issues before they are exploited by malicious actors.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3939, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.