List Category Posts is a widely used WordPress plugin that allows site owners to display posts from specific categories in a list format. However, CVE-2024-9020 has been identified as a critical Stored Cross-Site Scripting (XSS) vulnerability within the plugin. This vulnerability enables attackers with contributor-level privileges to inject malicious JavaScript into post excerpts, which can lead to the creation of a backdoor admin account. With over 100,000 active installations, this flaw presents a significant security risk for websites using the List Category Posts plugin.
| CVE | CVE-2024-9020 |
| Plugin | List category posts < 0.90.3 |
| Critical | High |
| All Time | 11 023 855 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9020 https://wpscan.com/vulnerability/6caa4e5d-8112-4d00-8e97-b41df611a071/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 18, 2024 | Plugin testing and vulnerability detection in the List Category Posts have been completed |
| September 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-9020 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the List Category Posts plugin. The issue lies in how the plugin handles excerpts, specifically when using the shortcode block for category listings. The plugin fails to sanitize user input in the “excerpt” field, which is rendered on the frontend. This allows contributors (who typically have limited privileges) to inject malicious JavaScript into the post excerpts. The flaw exists because the plugin does not properly validate or sanitize JavaScript code in these fields, allowing it to be stored in the WordPress database and executed when the page is rendered.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability that occurs when attackers inject malicious JavaScript into a webpage, which is then executed in the browsers of users who visit the page. This type of attack is particularly dangerous in WordPress plugins that handle user-generated content, such as post excerpts or form fields, without properly sanitizing the input. A real-world example of XSS in WordPress occurred in the Contact Form 7 plugin, where attackers were able to inject JavaScript into form fields, potentially stealing session cookies or hijacking user sessions. Similarly, CVE-2024-9020 exploits improper input validation in List Category Posts, allowing contributors to inject malicious JavaScript into the excerpt fields, which is then executed when the post is viewed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-9020, an attacker with contributor-level privileges:
POC:
1) Create a new Post 2) Add here "Shortcode" block -> [catlist excerpt_tag='script' excerpt=yes] 3) Create another Post and put inside excerpt any Malicious JS -> like this alert(1)____
The potential risks associated with CVE-2024-9020 are substantial. If successfully exploited, this vulnerability can lead to the hijacking of an admin session, enabling an attacker to gain full control over the WordPress site. Once the attacker has admin access, they can modify content, install malicious plugins, or steal sensitive data. In a real-world scenario, an attacker could create a backdoor admin account, allowing them to retain control over the site even after the vulnerability is patched. For websites dealing with sensitive user information, such as e-commerce or membership sites, the exploitation of this vulnerability could lead to significant data breaches, financial losses, and reputational damage. Moreover, the attacker could use the backdoor to install further malicious code or compromise other connected systems.
Recommendations for Improved Security
o mitigate the risks associated with CVE-2024-9020, administrators should immediately update the List Category Posts plugin to the latest version once a patch is released. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially contributors, to prevent the injection of JavaScript into post excerpts. Proper sanitization and validation of user input should be implemented for all fields that affect dynamic content on the site, such as excerpts. Implementing Content Security Policies (CSP) can also help mitigate the risk of XSS attacks by blocking untrusted scripts from executing. Regular security audits, the use of security plugins, and limiting user permissions are also important steps in detecting and preventing such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9020, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
