In the ever-evolving landscape of web security, vulnerabilities in popular plugins pose significant risks to website integrity. One such critical vulnerability has been discovered in the Lightbox & Modal Popup WordPress Plugin – FooBox, identified as CVE-2024-3276. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to execute malicious scripts, leading to severe consequences such as backdoor creation and account takeovers.

CVECVE-2024-3276
PluginFooBox (Free and Premium) < 2.7.28
CriticalHigh
All Time2 340 358
Active installations100 000+
Publicly PublishedJune 9, 2024
Last UpdatedJune 9, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3276
https://wpscan.com/vulnerability/996d3247-ebdd-49d1-a1a3-ceedcf9f2f95/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

March 19, 2024Plugin testing and vulnerability detection in the Lightbox & Modal Popup WordPress Plugin – FooBox have been completed
March 19, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 9, 2024Registered CVE-2024-3276

Discovery of the Vulnerability

During a routine security assessment, a vulnerability was identified in FooBox that permits Stored XSS attacks. The flaw was found within the plugin’s settings, specifically in the “Specific CSS classes” field. By injecting a crafted payload, an attacker could exploit this vulnerability to execute arbitrary JavaScript code on behalf of an editor. This discovery highlights the importance of thorough security testing, even in widely-used and trusted plugins.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a common web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. In WordPress, XSS vulnerabilities are particularly dangerous due to the platform’s widespread use and the elevated privileges of user roles like editors and administrators. For instance, if an attacker gains access to an editor account, they can embed malicious scripts that execute whenever the affected page is loaded.

Real-world examples of XSS in WordPress include scenarios where attackers steal cookies, session tokens, or other sensitive information, hijack user sessions, or perform actions on behalf of the victim without their knowledge. The CVE-2024-3276 vulnerability in FooBox is a prime example of how XSS can be leveraged for malicious purposes.

Exploiting the Stored XSS Vulnerability

Exploiting the CVE-2024-3276 vulnerability involves injecting a malicious script into the “Specific CSS classes” field within the FooBox plugin settings. Here is a step-by-step outline of how the exploit can be carried out:

POC:

Go to settings an change “Specific CSS classes” field to 123″</script><img src=x onerror=alert(1)>alert(1) (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The primary risk associated with this vulnerability is the potential for complete site compromise through backdoor creation. If an attacker can inject a script that creates an administrative account, they gain full control over the site. Real-world scenarios include:

  • Data Theft: Accessing and exfiltrating sensitive data stored within the WordPress site.
  • Defacement: Altering the site’s appearance or content to deliver malicious messages or damage the site’s reputation.
  • Further Exploitation: Using the compromised site to launch attacks on visitors or other connected systems.

Given the high number of active installations of FooBox, the impact of this vulnerability can be extensive, affecting numerous websites globally.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-3276, several security measures are recommended:

  1. Apply Patches and Updates: Ensure that all plugins, including FooBox, are updated to the latest versions where vulnerabilities have been patched.
  2. Sanitize Inputs: Developers should implement strict input validation and output encoding to prevent malicious scripts from being processed.
  3. Least Privilege Principle: Limit the use of high-privilege accounts. Editors and other users should only have the necessary permissions for their roles.
  4. Disable Unfiltered HTML: Administrators should disable the unfiltered_html capability for all roles to prevent the injection of arbitrary scripts.
  5. Security Audits: Regularly conduct security audits and penetration tests to identify and address vulnerabilities proactively.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3276, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-3276 – Lightbox & Modal Popup WordPress Plugin – FooBox – Stored XSS to backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *