CVE-2024-6887 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Giveaways and Contests by RafflePress plugin, used by over 30,000 WordPress installations to run giveaways and contests. This vulnerability allows attackers to inject malicious JavaScript (JS) through the plugin’s settings. The attack can be initiated by users with editor-level access, resulting in account takeover, backdoor creation, and potentially long-term control over the affected WordPress site. The flaw resides in the plugin’s failure to properly sanitize inputs, particularly in the “Button color” field.
| CVE | CVE-2024-6887 |
| Plugin | Giveaways and Contests by RafflePress < 1.12.16 |
| Critical | High |
| All Time | 456 789 |
| Active installations | 30 000+ |
| Publicly Published | August 19, 2024 |
| Last Updated | August 19, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6887 https://wpscan.com/vulnerability/553806f4-da20-433c-8c19-35e6c87ccade/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 25, 2024 | Plugin testing and vulnerability detection in the Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers have been completed |
| June 25, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 19, 2024 | Registered CVE-2024-6887 |
Discovery of the Vulnerability
The vulnerability was uncovered during testing of the RafflePress plugin when it was observed that the “Button color” field within the settings of a new giveaway was susceptible to XSS injection. By manipulating this field and injecting malicious JavaScript, an attacker could execute harmful scripts when an admin or editor interacted with the giveaway. The plugin failed to sanitize the input, leaving a significant attack surface for exploitation.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a well-known web vulnerability that occurs when user inputs are not properly sanitized, allowing attackers to insert malicious scripts into trusted web pages. In WordPress, XSS vulnerabilities are especially dangerous due to the platform’s reliance on plugins for added functionality. Stored XSS, in particular, allows the malicious script to be saved within the site, ready to execute when certain pages or settings are accessed.
In the case of CVE-2024-6887, the vulnerable “Button color” field allows an attacker to insert malicious JavaScript, which is then executed when an admin or editor interacts with the giveaway settings or views the contest page. This type of attack can escalate privileges, steal session cookies, or execute further malicious actions on the site, such as creating additional administrator accounts or installing persistent backdoors.
Exploiting the XSS Vulnerability
To exploit CVE-2024-6887, an attacker with editor-level access can create a new giveaway using the RafflePress plugin. By injecting malicious JavaScript into the “Button color” field, such as </style><img src=x onerror=alert(1)>, the attacker stores the script within the plugin’s settings. Once the settings are saved, the script executes whenever the page or giveaway is viewed by an admin, giving the attacker control over the admin session.
POC:
You should change "Button color" field in settings of a new Giveaway to "Malicious JS code eval() and etc. For example </style><img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks of CVE-2024-6887 are significant, especially for sites running contests or giveaways with high user interaction. Successful exploitation can lead to an attacker gaining full control of a site, installing persistent backdoors, or stealing sensitive data such as customer information or payment details.
In a real-world scenario, an attacker could exploit this vulnerability to inject malware into a giveaway page, redirect users to phishing sites, or steal sensitive user data submitted during the contest. Furthermore, the attacker could create unauthorized admin accounts, allowing them to control the site indefinitely, making detection and remediation more difficult.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-6887, WordPress administrators should immediately update the RafflePress plugin to the latest version as soon as a patch is released. Developers must ensure that all user inputs, especially those that modify HTML and CSS attributes like the “Button color” field, are properly sanitized and validated to prevent XSS attacks.
Additionally, WordPress site owners should review the permissions assigned to editor-level users and restrict the use of unfiltered HTML or JavaScript wherever possible. Implementing security plugins that monitor for and block XSS attacks can add an extra layer of defense. Regular security audits of plugins and themes should also be performed to detect vulnerabilities before they can be exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6887, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
