ProfilePress is a popular WordPress plugin that enables site administrators to easily manage user profiles, registration forms, and member directories. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13121, has been discovered within the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Search Filter Fields Text” setting in the Member Directory. The injected script is stored and later executed, which could lead to account takeover and the creation of backdoor admin accounts. With over 200,000 active installations, this vulnerability represents a significant risk to websites using ProfilePress.
| CVE | CVE-2024-13121 |
| Plugin | ProfilePress < 4.15.20 |
| Critical | High |
| All Time | 13 914 700 |
| Active installations | 200 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13121 https://wpscan.com/vulnerability/59ee8fe5-4820-4d52-b17a-7044631c40c1/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 9, 2024 | Plugin testing and vulnerability detection in the ProfilePress have been completed |
| December 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-13121 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of ProfilePress. The issue is present in the “Search Filter Fields Text” field within the “Colors” section of the Member Directory settings. This field does not properly sanitize or validate user input, allowing for JavaScript injection. An attacker can exploit this flaw by injecting a malicious payload, such as <img src=x onerror=alert(1)>, into the field. Once the payload is saved, it is stored in the WordPress database. When the directory is rendered, the malicious script is executed in the victim’s browser, enabling attackers to hijack sessions, escalate privileges, or create a backdoor admin account. The vulnerability arises from the plugin’s failure to properly sanitize user input before storing it.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker injects malicious JavaScript code into a website, which is then executed by browsers viewing the page. XSS vulnerabilities are particularly dangerous because they can lead to session hijacking, data theft, and privilege escalation. WordPress plugins that allow user-generated content or settings to be applied without proper sanitization are especially vulnerable. A real-world example of an XSS vulnerability in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields. Similarly, CVE-2024-13121 allows attackers to inject malicious scripts into the “Search Filter Fields Text” setting in ProfilePress, enabling the execution of arbitrary JavaScript on the frontend.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13121, an attacker with editor-level privileges:
POC:
1) You should navigate http://127.0.0.1/wordpress/wp-admin/admin.php?page=ppress-directories 2) Create a new Member Directory with any name 3) Go to the bottom settings "Directory Settings" in "Colors" section and change "Search Filter Fields Text" to "Malicious JS code eval() and etc. For example #66666</style><img src=x oenrror=alert(1)> -> Save Settings 4) Take a new shortcode of the members directories and create new post with it (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-13121 are significant. If exploited, an attacker could hijack an administrator’s session, granting them full control over the WordPress site. Once the attacker gains admin access, they could modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could use this vulnerability to create a backdoor admin account, allowing them to retain control of the site even if the vulnerability is patched. This is particularly concerning for websites handling sensitive information, such as e-commerce or membership sites, as it could result in data breaches, financial losses, and reputational damage. Furthermore, once the attacker gains access to the admin account, they can install additional malicious scripts or compromise other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13121, administrators should immediately update the ProfilePress plugin to the latest patched version once a fix is available. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent JavaScript injection in plugin settings. It is essential to properly sanitize and validate all user input, especially in fields that affect frontend content, such as the “Search Filter Fields Text” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13121, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
