ProfilePress is a popular WordPress plugin that provides user profile and membership management features. However, CVE-2024-13119 highlights a critical Stored Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript into the plugin’s settings. This vulnerability can be exploited by attackers with editor-level access to inject JavaScript into the “Title” field in the Member Directory settings. When the settings are saved, the malicious code is stored in the WordPress database and executed when the directory is rendered. This flaw enables attackers to create a backdoor, potentially giving them full control of the site. With over 200,000 active installations, this vulnerability poses a serious risk to websites using ProfilePress.
| CVE | CVE-2024-13119 |
| Plugin | ProfilePress < 4.15.20 |
| Critical | High |
| All Time | 13 914 700 |
| Active installations | 200 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13119 https://wpscan.com/vulnerability/32600a45-a8cd-446c-9aa2-0621a02a9754/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 9, 2024 | Plugin testing and vulnerability detection in the ProfilePress have been completed |
| December 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-13119 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of ProfilePress. The issue lies in the plugin’s handling of the “Title” field in the Member Directory settings, where the input is not properly sanitized or validated. The plugin allows users to customize the “Title” of a member directory, and it fails to properly handle JavaScript code injected into this field. When an attacker inputs malicious JavaScript (such as <img src=x onerror=alert(1)>), the code is saved in the database and executed when the directory is viewed. The vulnerability arises from the plugin’s inability to sanitize user input correctly, making it possible for attackers with low-level access (such as editors) to exploit the flaw and execute arbitrary JavaScript in the context of the WordPress site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability where attackers inject malicious scripts into web pages, which are then executed in the browsers of users who visit the page. This type of attack can lead to severe consequences, including session hijacking, credential theft, and unauthorized access. XSS vulnerabilities are common in WordPress plugins that handle user-generated content without properly sanitizing it. A well-known example of XSS in WordPress occurred in the WPForms plugin, where malicious scripts could be injected into form fields. Similarly, CVE-2024-13119 takes advantage of improper input sanitization in ProfilePress, allowing attackers to inject JavaScript into the “Title” field of the Member Directory settings.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13119, an attacker with editor-level privileges:
POC:
1) You should navigate http://127.0.0.1/wordpress/wp-admin/admin.php?page=ppress-directories 2) Create a new Member Directory with any name 3) Idit Username field nad change "Title" to "Malicious JS code eval() and etc. For example <img src=x oenrror=alert(1)> -> Save Settings 4) Take a new shortcode of the members directories and create new post with it____
The risks associated with CVE-2024-13119 are significant. If an attacker successfully exploits this vulnerability, they can hijack the session of an administrator or other privileged user, allowing them to gain full control of the WordPress site. Once the attacker has admin access, they can modify content, install malicious plugins, or steal sensitive data. In a real-world scenario, an attacker could escalate their privileges by creating a backdoor admin account, which would allow them to maintain control of the site even after the vulnerability is patched. This is especially dangerous for websites that handle sensitive information, such as e-commerce or membership sites, as the exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Moreover, once the attacker has admin access, they can install additional malicious scripts or compromise other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13119, administrators should immediately update ProfilePress to the latest patched version once a fix is available. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. It is crucial to properly sanitize and validate user inputs, particularly those that will be rendered on the frontend, such as the “Title” field in the Member Directory settings. Implementing Content Security Policies (CSP) can help mitigate the impact of XSS attacks by blocking untrusted scripts from executing. Regular security audits, the use of security plugins, and properly managing user roles are also important steps in detecting and preventing XSS vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13119, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
