Ajax Search Lite, a popular WordPress plugin that enables live search and filtering functionality, has been found to have a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10568. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which is stored in the WordPress database and executed when the settings are accessed. The injected JavaScript can create a backdoor, potentially leading to account takeover and site compromise. With over 100,000 active installations, this vulnerability poses a significant security risk for WordPress sites that use the Ajax Search Lite plugin.
| CVE | CVE-2024-10568 |
| Plugin | Ajax Search Lite < 4.12.4 |
| Critical | High |
| All Time | 1 157 124 |
| Active installations | 100 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10568 https://wpscan.com/vulnerability/1676aef0-be5d-4335-933d-dc0d54416fd4/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 11, 2024 | Plugin testing and vulnerability detection in the Ajax Search Lite have been completed |
| October 11, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-10568 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the Ajax Search Lite plugin. It was found that the plugin fails to properly sanitize the input in the “Default image URL” field within its main settings. This field, intended to specify a default image for search results, can be manipulated by an attacker to inject malicious JavaScript code. When the plugin’s settings are saved, the malicious code is stored and executed when the settings page is viewed again. Since admins and editors are often granted the unfiltered_html capability, they can inject JavaScript into this field, making it easy to exploit this vulnerability even with low-level privileges.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common types of vulnerabilities in web applications, especially in content management systems like WordPress. XSS vulnerabilities allow attackers to inject malicious JavaScript into web pages, which is then executed in the browsers of users who visit the page. These attacks can lead to session hijacking, credential theft, and privilege escalation. A famous example of an XSS vulnerability in WordPress is found in the WPForms plugin, where attackers could inject JavaScript into form fields, leading to session hijacking. Similarly, CVE-2024-10568 exploits improper sanitization in Ajax Search Lite, allowing malicious JavaScript to be executed when interacting with the plugin’s settings.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-10568 is relatively simple. An attacker with editor-level access:
POC:
You should create a new post with Ajax Search block. Change "Default image url" field in main settings to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1) -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-10568 are substantial. If exploited, an attacker could hijack the session of an administrator or another user with high privileges, allowing the attacker to gain full control of the WordPress site. This could lead to various malicious actions, including stealing user data, modifying site content, installing malware, or spreading further attacks to other systems. In a real-world scenario, an attacker could use the backdoor to manipulate search results, steal sensitive information from users, or lock administrators out of their own site. For e-commerce sites, membership platforms, or any WordPress site handling sensitive data, the consequences of this vulnerability could be severe, leading to data breaches, financial losses, and reputational damage.
Recommendations for Improved Security
o mitigate the risks associated with CVE-2024-10568, administrators should immediately update Ajax Search Lite to the latest version once a patch is available. Additionally, it is crucial to restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting malicious JavaScript into plugin settings. Input fields, particularly those controlling dynamic content like images, should be properly sanitized to prevent script injections. Implementing Content Security Policies (CSP) can help limit the execution of untrusted scripts. Site administrators should also conduct regular security audits of plugins, use security plugins that scan for XSS vulnerabilities, and review user permissions to minimize exposure to such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10568, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
