Kadence Blocks, a popular WordPress plugin used to extend the functionality of the Kadence theme by adding custom blocks, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10637. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into a new post, which is then stored and executed. The vulnerability can lead to the creation of a JavaScript backdoor, which can escalate privileges to admin level, allowing attackers to take control of the site. With over 400,000 active installations, this vulnerability presents a significant security risk to WordPress sites using Kadence Blocks.
| CVE | CVE-2024-10637 |
| Plugin | Kadence Blocks < 3.2.54 |
| Critical | High |
| All Time | 28 811 134 |
| Active installations | 400 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10637 https://wpscan.com/vulnerability/df688dcc-9617-4f58-a310-891bfaea3695/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 11, 2024 | Plugin testing and vulnerability detection in the Gutenberg Blocks with AI by Kadence WP have been completed |
| September 11, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10637 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of the Kadence Blocks plugin. The issue lies in how the plugin processes and stores form parameters, specifically when creating a new form using the “Forms (Adv)” block. By intercepting and manipulating the request, attackers can inject malicious JavaScript code into the form fields. One such attack involves replacing a normal parameter, such as the “family” field, with a malicious payload, such as </style><svg/onload=alert(1)></style>. This input is stored and executed when the form is rendered. The vulnerability arises from the plugin’s failure to properly sanitize user input before it is stored and displayed.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common and severe types of security flaws in web applications, including WordPress plugins. XSS occurs when an attacker is able to inject malicious JavaScript into a page viewed by other users. This can lead to a variety of attacks, such as session hijacking, defacing websites, stealing sensitive data, or escalating privileges to gain control over the site. A well-known real-world example of an XSS vulnerability in WordPress is the issue in the WPForms plugin, where an attacker could inject scripts into form fields, stealing cookies and session data. Similarly, CVE-2024-10637 exploits improper sanitization in Kadence Blocks, allowing malicious scripts to be executed when the form is rendered.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10637, an attacker with contributor-level access:
POC:
1) Create a new Post 2) Add here "Forms (Adv)" block 3) Create a new from and change any of parametrs inside new form 4) Intercept request and replace "family" with "</style><svg/onload=alert(1)></style>"____
The risks associated with CVE-2024-10637 are significant. A successful exploitation could allow an attacker to hijack user sessions, steal sensitive information, or escalate their privileges to gain administrative control over the site. In a real-world scenario, the attacker could create a backdoor admin account, giving them full access to the WordPress dashboard and the ability to alter content, install malicious plugins, or steal customer data. For e-commerce sites or membership platforms, this could lead to severe data breaches, financial losses, or reputational damage. Furthermore, this vulnerability could be used as part of a larger attack, where the attacker compromises not only the WordPress site but also other systems connected to the site. The ability to exploit XSS vulnerabilities with minimal privileges makes this a high-risk issue for WordPress administrators.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10637, WordPress administrators should immediately update Kadence Blocks to the latest patched version once available. Site administrators should also review and restrict contributor-level users from accessing sensitive form settings, especially those that can be manipulated to inject JavaScript. It is critical that all user inputs, particularly those within form fields, are properly sanitized before being stored and rendered. Implementing a Content Security Policy (CSP) can help prevent the execution of untrusted scripts, even if they are injected. Additionally, restricting the unfiltered_html capability for non-admin users and conducting regular security audits are essential to protecting WordPress sites from XSS vulnerabilities. Using security plugins that detect XSS attempts can also help identify and block such attacks before they can cause damage. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10637, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
