CVE-2024-8542 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Everest Forms plugin, used by over 100,000 WordPress installations to create forms. This flaw allows contributors or editors to inject malicious JavaScript (JS) into the form’s settings, specifically in the “No field” section of the YES/NO block. Once exploited, the vulnerability can lead to admin account takeovers, the creation of backdoors, and long-term control of the WordPress site.
| CVE | CVE-2024-8542 |
| Plugin | Everest Forms < 3.0.3.1 |
| Critical | High |
| All Time | 5 210 783 |
| Active installations | 100 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8542 https://wpscan.com/vulnerability/e5f94dcf-a6dc-4c4c-acb6-1a7ead701053/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| August 1, 2024 | Plugin testing and vulnerability detection in the Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! have been completed |
| August 1, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8542 |
Discovery of the Vulnerability
The vulnerability was uncovered during security testing of the Everest Forms plugin. It was discovered that the “No field” within the YES/NO block does not properly sanitize input, allowing an attacker to inject harmful JavaScript code. Once saved, the malicious script executes when the form is viewed or interacted with by an administrator or privileged user, leading to session hijacking or account takeover.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) occurs when an attacker can inject and execute malicious scripts on a website due to improper input sanitization. Stored XSS, as in CVE-2024-8542, is particularly dangerous because the malicious script is stored in the WordPress database and executed whenever the affected form is viewed or interacted with.
In this case, contributors or editors can insert malicious JavaScript into the “No field” in a YES/NO block of Everest Forms, which executes whenever an administrator reviews the form. This vulnerability allows attackers to hijack sessions, create unauthorized admin accounts, or insert persistent backdoors. Similar XSS vulnerabilities have been exploited in WordPress to take over websites, steal data, or install malware.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8542, an attacker with contributor or editor-level access creates a new form in the Everest Forms plugin and adds a YES/NO block. By injecting a payload such as:
POC:
You should create a new form. Add here YES/NO block and change "No field" field in main settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-8542 are significant. Successful exploitation can lead to admin account hijacking, persistent backdoor creation, or unauthorized manipulation of site content. For businesses or high-traffic websites using Everest Forms to manage user interactions, this vulnerability could lead to data theft, site defacement, or even malware distribution.
In real-world scenarios, attackers could use this vulnerability to steal sensitive information from site administrators or launch phishing attacks. The creation of persistent backdoors allows attackers to maintain control of the site even after the initial vulnerability is patched.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-8542, WordPress administrators should update the Everest Forms plugin to the latest version as soon as a patch is released. Developers must ensure that all input fields, particularly the “No field” in the YES/NO block, are properly sanitized to prevent the injection of malicious JavaScript.
Administrators should review user roles and permissions, restricting the ability for contributors or editors to insert unfiltered HTML or JavaScript. Installing a security plugin that monitors for XSS attempts and blocks suspicious scripts can provide an extra layer of protection. Regular security audits and plugin updates are essential to prevent similar vulnerabilities in the future.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8542, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
