CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.
| CVE | CVE-2024-7133 |
| Plugin | My Sticky Bar < 2.7.3 |
| Critical | High |
| All Time | 3 163 609 |
| Active installations | 100 000+ |
| Publicly Published | August 19, 2024 |
| Last Updated | August 19, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7133 https://wpscan.com/vulnerability/c81c1622-33d1-41f2-ba63-f06bd4c125ab/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 25, 2024 | Plugin testing and vulnerability detection in the My Sticky Bar have been completed |
| June 25, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 19, 2024 | Registered CVE-2024-7133 |
Discovery of the Vulnerability
During testing, security researchers discovered that the plugin does not properly sanitize inputs in the “Font size” field when creating a new sticky bar. This vulnerability allows attackers with editor-level permissions to insert malicious JavaScript. By exploiting this flaw, attackers can execute the code whenever an admin or another privileged user interacts with the sticky bar settings.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common vulnerability that occurs when user inputs are not properly validated or sanitized. XSS allows attackers to inject malicious code into web pages that other users interact with. In WordPress, plugins are a common vector for XSS attacks due to the wide range of functionalities they add, and the My Sticky Bar plugin is no exception.
Stored XSS attacks, such as CVE-2024-7133, occur when malicious code is saved on the website’s backend and executed whenever a user with the appropriate privileges views or interacts with the compromised data. This is particularly dangerous because the attacker can maintain persistent control over the site, steal session cookies, or manipulate site settings without the admin’s knowledge.
In this case, the XSS vulnerability is present in the “Font size” field of the My Sticky Bar plugin, which allows the attacker to insert a harmful script. When the sticky bar is displayed or edited by an admin, the malicious code is executed. Past XSS vulnerabilities in WordPress have been used for a wide range of attacks, including site defacement, session hijacking, and even data theft.
Exploiting the XSS Vulnerability
To exploit CVE-2024-7133, an attacker with editor-level access can create a new sticky bar using the My Sticky Bar plugin. By injecting a payload such as 1123"dshf=+"";shfd="\";</style><img+src=x+onerror=alert(1)> into the “Font size” field, the attacker stores the malicious script within the plugin’s settings. Once the settings are saved, the script is triggered when an admin views or interacts with the bar, allowing the attacker to execute unauthorized commands.
POC:
You should click on "My Sticky Bar" and create "New Bar". Change mysticky_option_welcomebar%5Bmysticky_welcomebar_fontsize%5D field to 1123"dshf=+"";shfd="\";</style><img+src=x+onerror=alert(1)> -> Save Settings____
The risk posed by CVE-2024-7133 is significant, particularly for sites using the My Sticky Bar plugin to engage with users or highlight important content. A successful attack could result in complete control of the website, allowing the attacker to deface the site, steal sensitive information, or redirect users to malicious websites.
In real-world scenarios, attackers could exploit this vulnerability to install persistent backdoors that give them ongoing access to the site. This could be particularly damaging for businesses that rely on their WordPress site for customer engagement, e-commerce, or lead generation. By maintaining control, attackers could monitor user activity, steal credentials, or manipulate site content for malicious purposes.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-7133, it is essential that WordPress administrators update the My Sticky Bar plugin to the latest version as soon as a patch is available. Plugin developers must implement input sanitization to prevent malicious scripts from being injected into fields like the “Font size” setting.
Administrators should also review user permissions and limit the ability for editors to inject unfiltered HTML or JavaScript into the site. Using security plugins to monitor for suspicious activity or block XSS attempts can provide an additional layer of protection. It is also advisable to regularly audit plugin settings and code to detect vulnerabilities before they can be exploited.
Finally, implementing a web application firewall (WAF) can help block malicious requests before they reach the server, preventing XSS and other web-based attacks from taking place.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7133, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
