CVE-2024-6025 – Quiz and Survey Master – Stored XSS to Admin Account Creation – POC

In the ever-evolving landscape of web security, vulnerabilities within plugins can pose significant threats to websites, particularly those built on widely used platforms like WordPress. One such vulnerability recently discovered is CVE-2024-6025, which affects the Quiz and Survey Master plugin. This flaw allows for Stored Cross-Site Scripting (XSS) attacks, potentially leading to the creation of admin accounts through malicious JavaScript code. With over 40,000 active installations, the ramifications of this vulnerability are profound, necessitating immediate attention and remediation.

CVE	CVE-2024-6025
Plugin	Quiz and Survey Master < 9.0.5
Critical	High
All Time	2 411 320
Active installations	40 000+
Publicly Published	June 27, 2024
Last Updated	June 27, 2024
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6025 https://wpscan.com/vulnerability/15abc7dd-95b1-4dad-ba25-eb65105d3925/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

Discovery of the Vulnerability

The discovery of CVE-2024-6025 came to light during routine security testing of the Quiz and Survey Master plugin. Security researchers found that contributors could embed malicious JavaScript code within new posts. This stored XSS vulnerability could be exploited to escalate privileges, culminating in the creation of unauthorized admin accounts. The specific payload used to demonstrate this flaw is: 123" asdasd=' onmouseover=alert(1)//.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a prevalent vulnerability in web applications, including WordPress, where malicious scripts are injected into otherwise benign and trusted websites. When these scripts are executed in the context of the victim’s browser, they can perform unauthorized actions such as stealing cookies, session tokens, or other sensitive information, and even altering the content of web pages. Real-world examples of XSS attacks include stealing user credentials, redirecting users to malicious sites, and, as in the case of CVE-2024-6025, creating new administrative accounts.

Exploiting the Stored XSS Vulnerability

To exploit this vulnerability, an attacker needs to follow these steps:

POC:

123″ asdasd=’ onmouseover=alert(1)//

____

The potential risks associated with CVE-2024-6025 are severe. If exploited, this vulnerability could lead to:

• Unauthorized admin account creation: Attackers can gain full control of the website.
• Data breaches: Sensitive user information could be accessed and exfiltrated.
• Website defacement: Malicious actors could alter the website’s content to distribute misinformation or malware.
• Further exploitation: Compromised sites could be used to launch additional attacks on visitors or other websites.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-6025, the following security measures are recommended:

• Update the Plugin: Ensure the Quiz and Survey Master plugin is updated to the latest version, where this vulnerability is patched.
• Sanitize and Validate Inputs: Implement rigorous input sanitization and validation to prevent the injection of malicious scripts.
• Use Security Plugins: Employ security plugins that offer XSS protection and regularly scan for vulnerabilities.
• Restrict User Permissions: Limit the permissions of contributors and other non-admin users to minimize the risk of exploitation.
• Regular Security Audits: Conduct regular security audits and penetration tests to identify and address vulnerabilities promptly.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6025, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.