A critical vulnerability, CVE-2024-0673, has been uncovered in the Pz-LinkCard plugin for WordPress. This flaw allows for the execution of Stored Cross-Site Scripting (XSS) attacks, enabling malicious actors to create JavaScript backdoors and potentially compromise admin accounts. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVECVE-2024-0673
PluginPz-LinkCard <= 2.5.1
CriticalHigh
All Time569 850
Active installations30 000+
Publicly PublishedMarch 7, 2023
Last UpdatedMarch 7, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0673
https://wpscan.com/vulnerability/d80e725d-356a-4997-a352-33565e291fc8/
Plugin Security Certification by CleanTalk

Timeline

February 15, 2023Plugin testing and vulnerability detection in the Pz-LinkCard have been completed
February 15, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 7, 2024Registered CVE-2024-0673

Discovery of the Vulnerability

During routine testing, security researchers identified a vulnerability in the Pz-LinkCard plugin that permits the injection of malicious XSS payloads via the settings page. This vulnerability exposes admin-level privileges, making it a significant security concern for WordPress website owners.

Understanding of Stored XSS attack’s

Stored XSS involves injecting malicious scripts into a website’s database, which are then executed when specific actions are performed. In WordPress, this can occur through input fields, such as those found in plugin settings pages. Real-world examples of Stored XSS attacks include injecting malicious scripts into comment forms or input fields, leading to the execution of arbitrary code when viewed by other users.

Exploiting the Stored XSS Vulnerability

To exploit CVE-2024-0673, an attacker inserts a crafted XSS payload into the “Class ID to be Added (for PC)” field within the “Advanced” category of the plugin settings. This payload is then executed when an admin accesses the affected page, potentially leading to the creation of a JavaScript backdoor.

POC:

  1. Go to http://your_site/wordpress/wp-admin/options-general.php?page=pz-linkcard-settings to “Advanced” category, insert the following payload in the “Class ID to be Added (for PC)” field

___

The risk posed by this vulnerability is severe, as it allows attackers to gain unauthorized access to admin accounts, compromising the entire WordPress website. With admin-level privileges, attackers can execute arbitrary code, steal sensitive data, or even plant persistent backdoors for future exploitation.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2024-0673 and similar vulnerabilities, WordPress website owners should delete the Pz-LinkCard plugin. Additionally, implementing robust input validation and output sanitization techniques in plugin development can help prevent XSS vulnerabilities. Regular security audits and monitoring of plugin updates are also recommended to ensure the ongoing security of WordPress websites. Use WAF fro WEB applications

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-0673, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-0673 – Pz-LinkCard – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *