Everest Forms is a popular WordPress plugin that allows users to create and manage forms for collecting user information, including contact forms, surveys, and registration forms. A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13125, has been found in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Email Message” field in the Email Template settings. The injected script is then executed when the email template is previewed, allowing attackers to hijack the session of an admin user or escalate their privileges to gain full control of the WordPress site. With over 100,000 active installations, this vulnerability poses a significant security risk for websites using Everest Forms.
| CVE | CVE-2024-13125 |
| Plugin | Everest Forms < 3.0.8.1 |
| Critical | High |
| All Time | 6 424 100 |
| Active installations | 100 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13125 https://wpscan.com/vulnerability/f60a8358-1765-4cae-9c89-0d75c5e394ec/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 25, 2024 | Plugin testing and vulnerability detection in the Everest Forms have been completed |
| December 25, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-13125 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of Everest Forms, specifically in the settings for the Email Template. It was found that the plugin fails to properly sanitize user input in the “Email Message” field. When an attacker injects malicious JavaScript, such as <img src=x onerror=alert(1)>, the script is stored in the database and executed when the email template is previewed. This flaw arises from inadequate input validation and sanitization in this field, allowing contributors and editors to insert arbitrary JavaScript. The vulnerability is especially dangerous because it can be exploited by users with low privileges, such as editors, without the need for admin access to exploit the flaw.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious JavaScript into a web page, which is then executed in the browsers of users who visit the page. XSS vulnerabilities are common in WordPress plugins that allow user-generated content, such as form fields and email templates, without proper input sanitization. A real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers were able to inject malicious scripts into form fields, potentially leading to session hijacking. Similarly, CVE-2024-13125 allows attackers to inject malicious JavaScript into the “Email Message” field of Everest Forms, enabling them to execute arbitrary scripts when the email template is previewed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13125, an attacker with editor-level privileges:
POC:
1) You should create a new form. 2) Change "Email Message" field in main settings of Email Template to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> 3) Save Settings 4) To trigger XSS you should preview Email Template____
The potential risks associated with CVE-2024-13125 are severe. If successfully exploited, this vulnerability could allow an attacker to hijack an admin’s session, gaining full control of the WordPress site. Once the attacker has admin access, they can modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could escalate their privileges by hijacking the session of an admin user, giving them long-term control of the site. For websites that handle sensitive user information, such as e-commerce or membership sites, this vulnerability could lead to significant data breaches, financial losses, and reputational damage. Moreover, once the attacker gains admin access, they can install additional malicious scripts or compromise other systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13125, administrators should immediately update the Everest Forms plugin to the latest version once a patch is released. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all fields that affect frontend content, such as the “Email Message” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13125, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
