In the dynamic world of WordPress plugins, security vulnerabilities can have significant impacts on the safety and functionality of websites. One such critical issue has been identified in the Ultimate Blocks plugin, assigned CVE-2024-6362. This vulnerability allows attackers to exploit Stored Cross-Site Scripting (XSS) to create admin accounts through malicious JavaScript code.

CVECVE-2024-6362
PluginUltimate Blocks < 3.2.0
CriticalHigh
All Time1 425 000
Active installations50 000+
Publicly PublishedJuly 15, 2024
Last UpdatedJuly 15, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6362
https://wpscan.com/vulnerability/d2e2d06b-0f07-40b9-9b87-3373f62ae1a9/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

May 4, 2024Plugin testing and vulnerability detection in the Ultimate Blocks have been completed
May 4, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 15, 2024Registered CVE-2024-6362

Discovery of the Vulnerability

During a routine security assessment of the Ultimate Blocks plugin, a Stored XSS vulnerability was discovered. The flaw allows unauthorized users to inject malicious scripts via a new post, which the plugin then processes and stores. This vulnerability can be leveraged to create unauthorized admin accounts, giving attackers control over the WordPress site.

Understanding of Stored XSS attack’s

XSS vulnerabilities are among the most common security issues in web applications, including WordPress. They occur when an attacker is able to inject malicious scripts into web pages viewed by other users. In the context of WordPress, this can lead to various forms of exploitation, including session hijacking, unauthorized actions, and even full administrative control of the site. Real-world examples include past incidents where XSS was used to steal user data or escalate privileges.

Exploiting the Stored XSS Vulnerability

In this particular vulnerability, the attack involves injecting malicious JavaScript into the “postTitleTag” field within the Ultimate Blocks plugin. The proof of concept (POC) payload involves a complex JavaScript snippet embedded in the post content. Here’s a simplified version of the exploit:

POC:

<!-- wp:ub/post-grid {\"blockID\":\"a8c7dde7-b132-40a2-89ac-42425cef5e3a\",\"postImageWidth\":0,\"excerptLength\":24,\"readMoreText\":\"123\\u0022asdasd= '';asdasd='\\\\';\\u003c/style\\u003e\\u0026lt;img src=x onerror=alert(1)\\u0026gt;\\u003cimg src=x onerror=alert(1)\\u003e; alert( 555 );// \\u0022 ~!@#$%^\\u0026U*I(OP_+`1234~!@#$%^\\u0026*()_\",\"postLayout\":\"list\",\"columnGap\":\"30px\",\"postTitleTag\":\"img src=x onerror=alert(1)\"} /-->

____

The potential impact of this vulnerability is significant. If exploited, attackers could gain administrative access to WordPress sites, allowing them to modify content, install malicious plugins, or even steal sensitive information. This poses a serious risk to site owners and users, especially those managing critical business operations or personal data through their WordPress sites.

Recommendations for Improved Security

To mitigate this vulnerability, it is crucial for users of the Ultimate Blocks plugin to update to the latest version where the issue has been addressed. Additionally, site administrators should regularly audit their plugins for security flaws, implement robust input validation, and restrict user permissions to minimize the risk of exploitation. Employing a web application firewall and keeping all plugins and themes up-to-date can also help protect against similar vulnerabilities.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6362, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-6362 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *