CVE-2024-7132 exposes a critical flaw in the CoBlocks plugin, a widely used WordPress extension with over 400,000 installations. This Stored XSS vulnerability can be exploited by contributors to embed malicious JavaScript code within posts, leading to unauthorized actions, including the creation of admin accounts. The vulnerability highlights the significant security risks associated with improper input validation in WordPress plugins, particularly in environments where user roles and permissions are not tightly controlled.
| CVE | CVE-2024-7132 |
| Plugin | CoBlocks < 3.1.13 |
| Critical | High |
| All Time | 22 303 450 |
| Active installations | 400 000+ |
| Publicly Published | August 19, 2024 |
| Last Updated | August 19, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7132 https://wpscan.com/vulnerability/16deb743-6fe9-43a2-9586-d92cfe1daa17/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| July 19, 2024 | Plugin testing and vulnerability detection in the CoBlocks have been completed |
| July 19, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 19, 2024 | Registered CVE-2024-7132 |
Discovery of the Vulnerability
During a penetration test of the CoBlocks plugin, a vulnerability was discovered that allows contributors—users typically granted limited permissions—to inject and execute malicious JavaScript code within WordPress posts. The vulnerability is located within the “Post Carousel” block, which allows users to showcase post content in a rotating format. The block fails to properly sanitize input when a new post is created, allowing attackers to inject XSS payloads such as <img src=x onerror=alert(1)>.
Understanding of Stored XSS attack’s
Cross-Site Scripting (XSS) is one of the most commonly exploited vulnerabilities in WordPress, especially through third-party plugins like CoBlocks. XSS vulnerabilities occur when input fields, such as those used to create posts or blocks, are not sufficiently sanitized, allowing attackers to insert and execute scripts in the browser of unsuspecting users. These scripts can be used to steal sensitive information, hijack sessions, or escalate privileges.
In the case of CoBlocks, contributors—typically a lower-privileged user role—are able to inject JavaScript into the “Post Carousel” block due to insufficient sanitization. When a site administrator views the post, the script is executed, often without any visible signs of the attack. In more severe cases, such scripts can create new admin accounts or install backdoors, providing the attacker with full control over the WordPress site.
Exploiting the Stored XSS Vulnerability
Exploiting CVE-2024-7132 is relatively straightforward for a contributor with post creation privileges. The attacker first creates a post containing a malicious script, such as the XSS payload <img src=x onerror=alert(1)>. Once this payload is embedded, the attacker then adds a “Post Carousel” block to a new post, which displays content from various posts on the site.
POC:
Firstly, you should create a new Post with this content: <img src=x onerror=alert(1)>. After that you should create a new Post and add here "Post Carousel" block____
The potential risk of CVE-2024-7132 is substantial, particularly for WordPress sites with multiple contributors or those that rely on plugins like CoBlocks for content creation. The vulnerability allows attackers to bypass security restrictions by leveraging the contributor role to execute harmful scripts, potentially leading to full site compromise.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-7132, WordPress site administrators should immediately update CoBlocks to the latest version, as the developers are expected to release a patch addressing this issue. It is also essential to review and restrict user roles and permissions, particularly for contributors who may not need access to blocks or post types that could introduce vulnerabilities.
Additionally, developers of WordPress plugins like CoBlocks should implement rigorous input sanitization measures to prevent XSS attacks. Website owners can further protect themselves by employing a comprehensive security plugin that monitors for XSS attempts and blocks malicious scripts before they can be executed. Regular security audits of plugins and their interactions with WordPress core functionalities will help identify vulnerabilities early and reduce the risk of exploitation.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7132, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
