Icegram Engage is a popular WordPress plugin designed to create popups, opt-in forms, and other interactive elements to engage visitors. With over 30,000 active installations, it is widely used to enhance user experience on WordPress sites. However, a critical vulnerability (CVE-2024-13486) has been identified within the plugin that allows an attacker to execute stored Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by attackers to inject malicious JavaScript code, potentially leading to backdoor creation and unauthorized account takeover.
| CVE | CVE-2024-13486 |
| Icegram Engage < 3.1.32 | |
| Critical | High |
| All Time | 2 402 123 |
| Active installations | 30 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13486 https://wpscan.com/vulnerability/cbba8346-41f6-46ee-89ae-ed9524d768ef/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 27, 2024 | Plugin testing and vulnerability detection in the Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA have been completed |
| November 27, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-13486 |
Discovery of the Vulnerability
The vulnerability was discovered during testing of Icegram Engage’s “My First Icegram Campaign” functionality. The issue arises in the “CSS” field under the “Custom Code” section, where users can add custom styles and scripts for campaigns. The field does not adequately sanitize or validate user input, allowing attackers to inject JavaScript code into the form. When the malicious input is stored, it gets executed when the campaign is previewed. This vulnerability affects users with editor-level access or higher, enabling them to inject malicious code that could be executed by an admin or any other privileged user.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker is able to inject malicious scripts into a website, which are then executed by the browser of unsuspecting users who visit the page. In WordPress, these vulnerabilities are particularly dangerous because they allow attackers to bypass security restrictions and execute arbitrary code. One real-world example of XSS exploitation is the CVE-2018-6389 vulnerability in WPForms, where attackers could inject JavaScript into form fields, resulting in session hijacking and administrative access. Similarly, CVE-2024-13486 in Icegram Engage enables attackers to inject JavaScript into the “CSS” field, allowing them to perform attacks such as stealing session cookies, executing arbitrary commands, or escalating privileges.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13486, an attacker with editor+ privileges:
POC:
Duplicate "My First Icegram Campaign" in 127.0.0.1/wordpress/wp-admin/edit.php?post_typezig_campaign. Change "CSS" field to "</style><img src=x onerror=alert(1)>" in Custom Code section. Save it. To trigger XSS you should click Preview. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks posed by CVE-2024-13486 are significant. In a real-world scenario, an attacker could exploit this vulnerability to escalate privileges from an editor or contributor role to an admin role. Once the attacker gains admin access, they could take full control of the website, install malware, modify content, or steal sensitive information. For example, an attacker could inject scripts that steal session cookies, allowing them to impersonate administrators and take over the site. This type of attack could be especially damaging for websites that collect sensitive user data, such as e-commerce sites or membership platforms, where it could lead to data theft or unauthorized transactions.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13486, Icegram Engage users should update the plugin to the latest patched version. The plugin developers should implement proper input sanitization and validation for all fields that render user input, particularly the “CSS” field in the “Custom Code” section. WordPress functions like esc_html() and wp_kses() should be used to strip out any potentially harmful scripts. Additionally, site administrators should restrict access to sensitive plugin settings, ensuring that only trusted users have the ability to modify campaign settings. Regular security audits and the use of a Web Application Firewall (WAF) can help identify and block potential XSS attacks before they can be exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13486, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.