During testing of the Enhanced Text Widget plugin for WordPress, a security vulnerability was identified that allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability arises from the plugin’s failure to properly validate and escape certain widget options before outputting them back in attributes. As a result, high privilege users such as administrators or editors can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVECVE-2024-0559
PluginEnhanced Text Widget < 1.6.6
CriticalHigh
All Time772 593
Active installations50 000+
Publicly PublishedFebruary 20, 2023
Last UpdatedFebruary 20, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0559
https://wpscan.com/vulnerability/b257daf2-9540-4a0f-a560-54b47d2b913f/
Plugin Security Certification by CleanTalk

Timeline

January 12, 2023Plugin testing and vulnerability detection in the Enhanced Text Widget have been completed
January 12, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
February 5, 2023The author fixed the vulnerability and released the plugin update
February 20, 2023Registered CVE-2024-0559

Discovery of the Vulnerability

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover.

Understanding of Stored XSS attack’s

Stored XSS vulnerabilities occur when user-supplied input is not properly sanitized before being stored and displayed back to other users. In WordPress, this can occur when plugins or themes fail to sanitize input fields or widget options, allowing attackers to inject malicious scripts that are executed within the context of other users’ browsers. Real examples of Stored XSS in WordPress include injecting scripts into comment sections, form fields, or widget content, which can then be executed when other users view the affected pages.

Exploiting the Stored XSS Vulnerability

POC:

  1. When creating a new widget, insert the following payload in the “CSS” field – ” onmouseover=”alert(/XSS/)”

___

The CVE-2024-0559 vulnerability in the Enhanced Text Widget plugin poses a significant risk to WordPress websites and their users. In a real-world scenario, an attacker could exploit this vulnerability to execute arbitrary JavaScript code within the context of other users’ sessions. This could lead to account takeover, theft of sensitive information, or the dissemination of malware.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2024-0559 and similar vulnerabilities related to Stored XSS, the following recommendations are provided:

  • Update the Enhanced Text Widget plugin to the latest patched version provided by the plugin developer, which should include proper input validation and output escaping mechanisms.
  • Implement strict input validation and output escaping in all WordPress plugins and themes to prevent XSS attacks.
  • Educate developers about secure coding practices, including the importance of sanitizing user input and properly escaping output.
  • Regularly audit and review code for vulnerabilities, including XSS vulnerabilities, as part of the development process.
  • Consider using security plugins or web application firewalls (WAFs) to monitor and block XSS attacks and other malicious activity.
  • Stay informed about emerging security threats and best practices in WordPress security by participating in security communities and following reputable security resources.

By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Enhanced Text Widget.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-0559 – Enhanced Text Widget – Stored XSS – POC

Leave a Reply

Your email address will not be published. Required fields are marked *