CVE-2024-10104 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Jobs for WordPress plugin, widely used to manage and display job postings on WordPress sites. This vulnerability allows users with Contributor or higher permissions to inject malicious JavaScript (JS) code into the job posting settings, specifically in the “Working Hours” field. Once exploited, the vulnerability can lead to admin account takeovers, unauthorized backdoor installations, and long-term control over the WordPress site.
| CVE | CVE-2024-10104 |
| Plugin | Jobs for WordPress < 2.7.8 |
| Critical | High |
| All Time | 182 878 |
| Active installations | 10 000+ |
| Publicly Published | October 28, 2024 |
| Last Updated | October 28, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10104 https://wpscan.com/vulnerability/f0a9c8ae-f2cf-4322-8216-4778b0e37a48/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 24, 2024 | Plugin testing and vulnerability detection in the Jobs for WordPress have been completed |
| September 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 28, 2024 | Registered CVE-2024-10104 |
Discovery of the Vulnerability
During testing of the Jobs for WordPress plugin, a vulnerability was discovered, due to which users with author rights can enter malicious JavaScript into certain fields. This discovery shows that low-privilege roles can still reveal serious security gaps on WordPress sites. After entering malicious code in the “Opening Hours” field, the payload is activated during the preview, which can lead to the compromise of administrator accounts and other confidential site data.
Understanding of XSS attack’s
Stored XSS code occurs when malicious scripts are permanently stored on the server. After saving, the code runs on any page where it is embedded. In WordPress, XSS attacks with data retention often occur due to plugins that allow you to enter custom code, which allows attackers to enter malicious code that is then used by the site for other users. Real-world examples demonstrate how attackers used similar vulnerabilities to install backdoors, steal session cookies, or distort web pages. Vulnerability CVE-2024-10104 of the Job for WordPress plugin allows for similar exploitation, since users can inject malicious JavaScript that can be executed by unsuspecting administrators.
Exploiting the XSS Vulnerability
Exploiting the vulnerability CVE-2024-10104 includes the following steps:
POC:
- A user logs in with Contributor rights and accesses the Jobs panel.
- The user creates a new job posting, adding text and a malicious payload encoded in HTML to the “Working Hours” field.
- Once saved, the payload is stored in the WordPress database.
- When an administrator previews the job listing, the payload is executed, enabling an attacker to gain unauthorized access or perform actions on behalf of the administrator.
Proof of Concept (PoC) Payload:
"><script></script><img src=x onerror=alert(1)>____
Successful exploitation of the CVE-2024-10104 vulnerability from the Contributor+ role can lead to the interception of the administrator account, the constant creation of a backdoor or unauthorized manipulation of the site content. For businesses or websites that use Jobs for WordPress to manage user interaction, this vulnerability can lead to data theft, site corruption, or even the spread of malware.
In real-world situations, attackers can exploit this vulnerability to completely hijack a website and then. Creating permanent backdoors allows attackers to maintain control over the site even after the initial vulnerability has been eliminated.
Recommendations for Improved Security
To prevent exploitation of the CVE-2024-10104 vulnerability, WordPress administrators should update the Jobs for WordPress plugin to the latest version as soon as the patch is released.
Administrators should review user roles and permissions by limiting the ability of authors or editors to insert unfiltered HTML or JavaScript. Installing a security plugin that monitors hacking attempts and blocks suspicious scripts can provide an additional layer of protection. Regular security checks and plugin updates are necessary to prevent similar vulnerabilities in the future.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10104, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.
