CVE-2024-8492 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Hustle plugin, which is used by over 100,000 WordPress installations to create popups, email opt-ins, and other marketing tools. This vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings, particularly in the “Error Message” field of the Email Field settings. If exploited, this vulnerability can lead to admin account takeover and the creation of persistent backdoors, giving attackers long-term control over the site.
| CVE | CVE-2024-8492 |
| Plugin | Hustle < 7.8.5 |
| Critical | High |
| All Time | 3 753 313 |
| Active installations | 100 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8492 https://wpscan.com/vulnerability/c7437eba-8e91-4fcc-82a3-ff8908b36877/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| Jule 29, 2024 | Plugin testing and vulnerability detection in the Hustle – Email Marketing, Lead Generation, Optins, Popups have been completed |
| July 29, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8492 |
Discovery of the Vulnerability
The vulnerability was discovered during security testing of the Hustle plugin. The flaw lies in the plugin’s “Error Message” field within the Email Field settings for popups. This field does not properly sanitize user input, allowing attackers to inject harmful JavaScript. When saved, the injected script executes whenever the popup is displayed to administrators or editors.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) occurs when user inputs are not properly sanitized, allowing malicious scripts to be executed in a user’s browser. In WordPress, XSS vulnerabilities are particularly dangerous because they can lead to session hijacking, privilege escalation, and even full site compromise.
In CVE-2024-8492, the vulnerability resides in the Hustle plugin’s popup system, where contributors or editors can inject harmful scripts. The danger of stored XSS lies in its ability to store malicious code in the database, which is then executed whenever an administrator interacts with the affected element—in this case, the popup. Similar XSS vulnerabilities in WordPress plugins have been exploited for account takeover, data theft, and the creation of persistent backdoors.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8492, an attacker with editor-level access can create a new popup in the Hustle plugin and inject a malicious JavaScript payload into the “Error Message” field of the Email Field settings. For example:
POC:
You should create a new popup. Change "Error Message" field in Email Field settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-8492 are significant. If exploited, this vulnerability can lead to complete site compromise, allowing attackers to create new admin accounts, steal sensitive data, or inject malware into the site. E-commerce sites or businesses using Hustle for lead generation and marketing could be particularly vulnerable, as attackers could manipulate customer data or use the site for phishing attacks.
Recommendations for Improved Security
To mitigate the risk of CVE-2024-8492, WordPress administrators should update the Hustle plugin to the latest version as soon as a patch is released. Developers must ensure that all input fields, especially the “Error Message” field in the Email Field settings, are properly sanitized to prevent XSS attacks.
Additionally, administrators should review the permissions of users with editor-level access, restricting their ability to insert unfiltered HTML or JavaScript. Installing a security plugin that monitors for XSS attacks and blocks malicious scripts can provide an extra layer of protection. Regular security audits of plugin settings and WordPress configurations can help identify and address vulnerabilities before they can be exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8492, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
