ProfilePress is a widely used WordPress plugin that allows website administrators to easily manage user profiles, registration, and login processes. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in the plugin, CVE-2024-13120. This flaw allows attackers with editor-level access to inject malicious JavaScript code into the “Description” field of the “Remember me” block in the Drag & Drop Form settings. The injected script can then be executed, leading to the creation of a backdoor admin account or other malicious activities. This vulnerability affects over 200,000 active installations, posing a significant risk to websites using ProfilePress.
| CVE | CVE-2024-13120 |
| Plugin | ProfilePress < 4.15.20 |
| Critical | High |
| All Time | 13 914 700 |
| Active installations | 200 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13120 https://wpscan.com/vulnerability/5b70798c-c30d-42e6-ac72-821c5568b9b5/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 9, 2024 | Plugin testing and vulnerability detection in the ProfilePress have been completed |
| December 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-13120 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of ProfilePress, where it was found that the plugin does not properly sanitize user input in the “Description” field under the “Remember me” block in the Drag & Drop Form settings. This allows attackers to inject malicious JavaScript code into this field, which is then saved in the WordPress database. When the form is rendered on the frontend, the malicious script executes, which can lead to session hijacking, account takeover, or the creation of backdoor admin accounts. The flaw stems from inadequate input validation and sanitization in user-provided content fields, allowing for the injection of JavaScript that will be executed by unsuspecting users.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are a significant security risk in WordPress plugins, especially in those that handle user-generated content or configuration settings. XSS allows an attacker to inject malicious JavaScript code into web pages, which is then executed in the browsers of users who view the page. In some cases, XSS vulnerabilities can be exploited to hijack user sessions, steal credentials, or gain unauthorized access to the site. A well-known real-world example of XSS in WordPress was found in the Contact Form 7 plugin, where attackers could inject JavaScript into form fields. CVE-2024-13120 is similar in nature, as it allows JavaScript injection in the “Description” field, which is later executed on the frontend.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13120, an attacker with editor-level privileges:
POC:
1) You should create a new Drag & Drop Form with any name and default scratch 2) Open settings of "Remember me" block and change "Description" field to <img src=x onerror=alert(1)> 3) Take a new shortcode of the form and create new post with it (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
Exploiting CVE-2024-13120 is simple but highly effective. An attacker with editor-level privileges can create a new Drag & Drop Form in ProfilePress with any name and default settings. The attacker then opens the settings of the “Remember me” block and modifies the “Description” field to contain a malicious payload, such as <img src=x onerror=alert(1)>. This JavaScript code triggers an alert when executed in the browser. After saving the settings, the attacker takes the new shortcode for the form and creates a new post with it. Once the post is viewed, the malicious script is executed, potentially allowing the attacker to hijack an admin’s session or escalate their privileges to create a backdoor admin account. This vulnerability can be exploited even by users with minimal privileges, such as editors, which makes it particularly dangerous.
Recommendations for Improved Security
The potential risks associated with CVE-2024-13120 are significant. If exploited, this vulnerability could allow an attacker to hijack an administrator’s session, gaining full control of the WordPress site. Once the attacker has admin access, they can modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, the attacker could create a backdoor admin account, enabling them to maintain access to the site even after the vulnerability is patched. This could be especially dangerous for websites that handle sensitive user information, such as e-commerce or membership sites, as it could result in data breaches, financial losses, and reputational damage. Additionally, the attacker could use the backdoor to install further malicious scripts or compromise other systems connected to the compromised WordPress site. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13120, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
