Popup Builder, a popular WordPress plugin used to create and manage popups on websites, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-9428. This flaw allows attackers to inject malicious JavaScript into the plugin’s settings, specifically within the “Alt Text” field of an image in the popup. The injected script can be executed when the popup is viewed, enabling attackers to escalate privileges and potentially create a backdoor for account takeover. This vulnerability affects over 200,000 installations of the Popup Builder plugin and presents a serious security risk for WordPress sites using this plugin.
| CVE | CVE-2024-9428 |
| Plugin | Popup Builder < 4.3.5 |
| Critical | High |
| All Time | 10 123 174 |
| Active installations | 200 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9428 https://wpscan.com/vulnerability/6e246547-e509-48db-88ae-b2f943398377/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 1, 2024 | Plugin testing and vulnerability detection in the Popup Builder have been completed |
| October 1, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-9428 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Popup Builder plugin. It was found that the plugin fails to sanitize input in the “Alt Text” field for images added to popups. This lack of input sanitization allows an attacker with editor-level privileges to inject malicious JavaScript code into the field, which is then stored in the WordPress database. The script is executed when the image is rendered within the popup, which is displayed to site visitors. Since editors are typically granted the unfiltered_html capability, they are able to inject JavaScript into the plugin settings, which further amplifies the risk of exploitation. The issue arises from the plugin’s failure to properly handle user inputs, making it a prime target for exploitation.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common and dangerous types of security issues in web applications, particularly in content management systems like WordPress. XSS occurs when an attacker is able to inject malicious JavaScript into web pages that are then viewed by other users, leading to the execution of malicious actions in their browsers. This can lead to a wide range of attacks, including session hijacking, account takeover, and data theft. A well-known example of XSS in WordPress is the vulnerability found in the WPForms plugin, where attackers could inject JavaScript into form fields, allowing them to steal cookies or hijack sessions. CVE-2024-9428 exploits a similar flaw in the Popup Builder plugin, where malicious scripts can be injected into the “Alt Text” field and executed when the popup is shown.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-9428 is straightforward. An attacker with editor-level access:
POC:
Create a new Image PopUp. You should add new image and change "Alt Text" field of new Image to "Malicious JS code eval() and etc. For example 123"onload=alert(11251)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-9428 are significant. If exploited, this vulnerability could allow an attacker to hijack an administrator’s session, gain unauthorized access to the WordPress site, and perform actions such as modifying or deleting content, installing malicious plugins, or stealing sensitive data. In a real-world scenario, an attacker could use the backdoor created through this vulnerability to take full control of the WordPress site, leading to severe consequences such as data breaches, financial losses, and reputational damage. The vulnerability could also be used as a stepping stone for further attacks, where the attacker could compromise other sites or systems connected to the compromised WordPress installation. E-commerce sites, membership sites, and any platform handling sensitive information are especially vulnerable to this type of attack.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-9428, it is critical for administrators to update the Popup Builder plugin to the latest patched version. Additionally, administrators should review and restrict user roles to prevent editors and other non-admin users from injecting JavaScript into plugin settings. Sanitizing all user inputs, especially in fields like “Alt Text,” is essential to prevent XSS attacks. Furthermore, administrators should disable the unfiltered_html capability for non-admin users to prevent them from injecting JavaScript into posts, plugin settings, and other parts of the site. Implementing Content Security Policies (CSP) can also help prevent untrusted scripts from executing, even if they are injected into the site. Regular security audits, the use of security plugins, and ongoing monitoring are also recommended to help detect and block any potential XSS attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9428, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
