Email Subscribers is a WordPress plugin designed to simplify the process of managing email subscriptions, newsletters, and automated email campaigns. With over 80,000 active installations, it is widely used by website administrators for email marketing and user engagement. However, a critical vulnerability, CVE-2024-11924, has been identified within the plugin that allows for the implementation of stored Cross-Site Scripting (XSS). This vulnerability enables an attacker with editor-level access to inject malicious JavaScript, leading to a potential backdoor creation and full admin account takeover.
| CVE | CVE-2024-11924 |
| MapPress Maps for WordPress < 2.94.10 | |
| Critical | High |
| All Time | 11 777 968 |
| Active installations | 80 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11924 https://wpscan.com/vulnerability/70288369-132d-4211-bca0-0411736df747/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 4, 2025 | Plugin testing and vulnerability detection in the Email Subscribers have been completed |
| March 4, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2024-11924 |
Discovery of the Vulnerability
This vulnerability was discovered during routine security testing of the Email Subscribers plugin. It was found that the plugin fails to properly sanitize user input in certain fields, specifically the “Label text” field within the form settings. By allowing unsanitized input, the plugin inadvertently exposes itself to malicious JavaScript injection, making it possible for users with editor-level permissions to inject malicious code that could be executed when another user (or administrator) views the form on the site. This flaw is especially dangerous because it allows an attacker to escalate privileges, potentially taking over the site by gaining admin access.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common and dangerous types of security flaws in web applications. XSS occurs when an attacker is able to inject malicious scripts into content that is rendered on the web page. These scripts are then executed in the browser of any user who views the affected content, often leading to the theft of session cookies, credential hijacking, and unauthorized actions performed in the context of the victim’s account. In WordPress, XSS vulnerabilities are often found in plugins that allow user-generated content or input. Real-world examples include attackers using XSS to steal admin credentials, alter the content of posts or pages, or create backdoors for persistent access to the site. CVE-2024-11924 shares these characteristics, allowing attackers to inject JavaScript that could lead to privilege escalation and backdoor access to WordPress sites.
Exploiting the XSS Vulnerability
To exploit CVE-2024-11924, an attacker with editor+ privileges:
POC:
Create a new Form and add here "Name" block. Change "Label text" field to "<img src=x onerror=alert(1)>". Click Next and switch on "Show in popup" button. Save and copy shortcode of this form. To trigger XSS you should go to new post and put shortcode of this form.(Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-11924 are severe, particularly for websites that rely on Email Subscribers for managing communications. If this vulnerability is exploited, an attacker can hijack the session of a privileged user, such as an admin, and gain full control of the WordPress site. In a real-world scenario, this could lead to data theft, site defacement, or unauthorized changes to critical settings. For e-commerce sites or those handling sensitive user information, this could have catastrophic consequences, such as leaking customer data, altering transactions, or even delivering malware to users through injected scripts. Additionally, attackers could use the injected JavaScript to create persistent backdoors, allowing them to maintain control over the site even after remediation attempts.
Recommendations for Improved Security
To mitigate the risk of CVE-2024-11924, users of the Email Subscribers plugin should update to the latest version, which includes a fix for this vulnerability. The plugin developers should ensure that all user inputs, especially those that are rendered on the frontend, are properly sanitized and validated. WordPress’s built-in sanitization functions, such as esc_html() and wp_kses(), should be used to strip out any potentially dangerous code. Administrators should also consider limiting the roles of users who have access to sensitive settings within plugins, ensuring that only trusted users are allowed to manage form fields or other customizable content. Lastly, regular security audits and monitoring should be performed to ensure that all plugins and themes are free of vulnerabilities that could be exploited by attackers. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11924, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.