Download Manager is a widely used WordPress plugin for managing downloadable files and controlling access to them. However, it contains a critical vulnerability, CVE-2024-10706, which allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript code into the plugin’s settings, which is then executed when the settings are accessed. This could lead to account takeover, with attackers gaining unauthorized admin access. With over 100,000 active installations, this flaw presents a significant security risk for WordPress websites using Download Manager.
| CVE | CVE-2024-10706 |
| Plugin | Download Manager < 3.3.03 |
| Critical | High |
| All Time | 6 234 435 |
| Active installations | 100 000+ |
| Publicly Published | November 9, 2024 |
| Last Updated | November 9, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10706 https://wpscan.com/vulnerability/01193420-9a4c-4961-93b6-aa2e37e36be1/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 18, 2024 | Plugin testing and vulnerability detection in the Download Manager have been completed |
| October 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 9, 2024 | Registered CVE-2024-10706 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Download Manager plugin. It was found that the plugin fails to sanitize user input properly in the “Primary color” field within the plugin’s main settings page. This field, intended for setting the primary color of the site, can be exploited by attackers with editor privileges to inject JavaScript. The injected code is stored in the plugin’s settings and executed when the settings page is viewed. This flaw arises from inadequate input sanitization, allowing editors (who typically have limited permissions) to inject unfiltered JavaScript into the plugin’s configuration.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common types of security flaws in web applications. XSS occurs when an attacker injects malicious scripts into web pages that are then executed by the browser of anyone who views the page. In WordPress, this vulnerability is often found in plugins and themes that fail to properly sanitize user inputs. A famous real-world example of XSS in WordPress was the vulnerability discovered in the WPForms plugin, where malicious scripts were injected into form fields, leading to session hijacking and unauthorized access. Similarly, CVE-2024-10706 exploits improper input sanitization in Download Manager, allowing attackers to inject harmful JavaScript into the plugin settings, which can then be executed when viewed by an admin.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10706, an attacker with editor-level access:
POC:
Change "Primary" color field in main settings to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-10706 are severe. Exploiting this vulnerability could allow an attacker to hijack an administrator’s session, steal sensitive data, or create a backdoor admin account. With full admin access, the attacker could modify or delete site content, install malicious plugins, or steal user information. In a real-world scenario, an attacker could use the backdoor to take control of the entire site, locking out legitimate admins, spreading malware, or redirecting users to malicious sites. For websites dealing with sensitive user data, such as e-commerce or membership sites, this vulnerability could lead to significant data breaches, financial loss, and reputational damage. Furthermore, this vulnerability could serve as a stepping stone for further attacks, allowing attackers to compromise other systems connected to the WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10706, WordPress administrators should immediately update Download Manager to the latest version as soon as a patch is available. Additionally, administrators should restrict access to plugin settings such as the “Primary color” field, particularly for non-admin users. Input fields should be properly sanitized to prevent the injection of JavaScript, and non-admin users should not be allowed to inject JavaScript into plugin settings. It is also recommended to disable the unfiltered_html capability for non-admin users and use security plugins to scan for vulnerabilities in WordPress plugins. Implementing Content Security Policies (CSP) can also help mitigate the impact of any successful XSS attacks by blocking untrusted scripts from executing. Regular security audits and reviewing user permissions can further help to protect WordPress sites from such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10706, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
