The WordPress ecosystem is home to numerous plugins that enhance functionality, but this diversity also introduces potential vulnerabilities. A significant security flaw has been identified in the WP ULike plugin, marked as CVE-2024-6094, which jeopardizes website integrity by allowing Stored Cross-Site Scripting (XSS) attacks.
CVE | CVE-2024-6094 |
Plugin | WP ULike < 4.7.1 |
Critical | High |
All Time | 1 752 272 |
Active installations | 80 000+ |
Publicly Published | August 1, 2024 |
Last Updated | August 1, 2024 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6094 https://wpscan.com/vulnerability/019b3f34-7b85-4728-8dd7-ca472d6b2d06/ |
Plugin Security Certification by CleanTalk | |
Logo of the plugin |
Timeline
June 17, 2024 | Plugin testing and vulnerability detection in the WP Ulike have been completed |
June 17, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
August 1, 2024 | Registered CVE-2024-4260 |
Discovery of the Vulnerability
The vulnerability was uncovered during routine security testing aimed at identifying potential security weaknesses within plugins. WP ULike, widely used for adding like and dislike functionality to WordPress posts, pages, and comments, presented a critical flaw in its “Button Image” configuration setting.
Understanding of Stored XSS attack’s
Stored XSS attacks involve malicious scripts being permanently stored on target servers, such as in a database, message forum, visitor log, comment field, etc. When users access the stored information, the malicious script executes, leading to potential data theft or account manipulation. In the case of WP ULike, the vulnerability allows attackers to insert JavaScript code into the “Button Image” field, which is then executed when the setting is rendered on a user’s browser.
Exploiting the Stored XSS Vulnerability
The exploitation process involves an attacker embedding JavaScript code within the “Button Image” field of the WP ULike settings. This code is crafted to execute when a user interacts with the like or dislike buttons on the site. The malicious script could redirect users to malicious websites, steal cookies, or even manipulate user sessions.
POC:
You should change “Button Image” field in main settings to “Malicious JS code eval() and etc. For example https://123.123″asdasd=”</style><img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
The risks associated with this vulnerability are high, primarily because it can be used to create a backdoor into the admin account of a WordPress site. Once exploited, an attacker could potentially take over the entire site, steal sensitive user data, and spread the attack further to visitors of the site.
Recommendations for Improved Security
To mitigate this vulnerability and enhance overall site security, it is recommended that:
- The WP ULike plugin be updated as soon as a security patch is available.
- Website administrators disable the unfiltered_html capability for all roles except trusted administrators.
- Regular security audits and updates of all installed plugins and themes are conducted.
- Use of security plugins that provide firewall and malware scanning functionalities.
By taking proactive measures to address SSRF vulnerabilities like CVE-2024-6094, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #XSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.