The WordPress ecosystem is home to numerous plugins that enhance functionality, but this diversity also introduces potential vulnerabilities. A significant security flaw has been identified in the WP ULike plugin, marked as CVE-2024-6094, which jeopardizes website integrity by allowing Stored Cross-Site Scripting (XSS) attacks.

CVECVE-2024-6094
PluginWP ULike < 4.7.1
CriticalHigh
All Time1 752 272
Active installations80 000+
Publicly PublishedAugust 1, 2024
Last UpdatedAugust 1, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6094
https://wpscan.com/vulnerability/019b3f34-7b85-4728-8dd7-ca472d6b2d06/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 17, 2024Plugin testing and vulnerability detection in the WP Ulike have been completed
June 17, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 1, 2024Registered CVE-2024-4260

Discovery of the Vulnerability

The vulnerability was uncovered during routine security testing aimed at identifying potential security weaknesses within plugins. WP ULike, widely used for adding like and dislike functionality to WordPress posts, pages, and comments, presented a critical flaw in its “Button Image” configuration setting.

Understanding of Stored XSS attack’s

Stored XSS attacks involve malicious scripts being permanently stored on target servers, such as in a database, message forum, visitor log, comment field, etc. When users access the stored information, the malicious script executes, leading to potential data theft or account manipulation. In the case of WP ULike, the vulnerability allows attackers to insert JavaScript code into the “Button Image” field, which is then executed when the setting is rendered on a user’s browser.

Exploiting the Stored XSS Vulnerability

The exploitation process involves an attacker embedding JavaScript code within the “Button Image” field of the WP ULike settings. This code is crafted to execute when a user interacts with the like or dislike buttons on the site. The malicious script could redirect users to malicious websites, steal cookies, or even manipulate user sessions.

POC:

You should change “Button Image” field in main settings to “Malicious JS code eval() and etc. For example https://123.123″asdasd=”</style><img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The risks associated with this vulnerability are high, primarily because it can be used to create a backdoor into the admin account of a WordPress site. Once exploited, an attacker could potentially take over the entire site, steal sensitive user data, and spread the attack further to visitors of the site.

Recommendations for Improved Security

To mitigate this vulnerability and enhance overall site security, it is recommended that:

  • The WP ULike plugin be updated as soon as a security patch is available.
  • Website administrators disable the unfiltered_html capability for all roles except trusted administrators.
  • Regular security audits and updates of all installed plugins and themes are conducted.
  • Use of security plugins that provide firewall and malware scanning functionalities.

By taking proactive measures to address SSRF vulnerabilities like CVE-2024-6094, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #XSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-6094 – WP ULike – Stored XSS to Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *