During testing of the Enhanced Text Widget plugin for WordPress, a security vulnerability was identified that allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability arises from the plugin’s failure to properly validate and escape certain widget options before outputting them back in attributes. As a result, high privilege users such as administrators or editors can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Main info:
| CVE | CVE-2024-0559 |
| Plugin | Enhanced Text Widget < 1.6.6 |
| Critical | High |
| All Time | 772 593 |
| Active installations | 50 000+ |
| Publicly Published | February 20, 2023 |
| Last Updated | February 20, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0559 https://wpscan.com/vulnerability/b257daf2-9540-4a0f-a560-54b47d2b913f/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| January 12, 2023 | Plugin testing and vulnerability detection in the Enhanced Text Widget have been completed |
| January 12, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 5, 2023 | The author fixed the vulnerability and released the plugin update |
| February 20, 2023 | Registered CVE-2024-0559 |
Discovery of the Vulnerability
In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when user-supplied input is not properly sanitized before being stored and displayed back to other users. In WordPress, this can occur when plugins or themes fail to sanitize input fields or widget options, allowing attackers to inject malicious scripts that are executed within the context of other users’ browsers. Real examples of Stored XSS in WordPress include injecting scripts into comment sections, form fields, or widget content, which can then be executed when other users view the affected pages.
Exploiting the Stored XSS Vulnerability
POC:
- When creating a new widget, insert the following payload in the “CSS” field – ” onmouseover=”alert(/XSS/)”
___
The CVE-2024-0559 vulnerability in the Enhanced Text Widget plugin poses a significant risk to WordPress websites and their users. In a real-world scenario, an attacker could exploit this vulnerability to execute arbitrary JavaScript code within the context of other users’ sessions. This could lead to account takeover, theft of sensitive information, or the dissemination of malware.
Recommendations for Improved Security
To mitigate the risk associated with CVE-2024-0559 and similar vulnerabilities related to Stored XSS, the following recommendations are provided:
- Update the Enhanced Text Widget plugin to the latest patched version provided by the plugin developer, which should include proper input validation and output escaping mechanisms.
- Implement strict input validation and output escaping in all WordPress plugins and themes to prevent XSS attacks.
- Educate developers about secure coding practices, including the importance of sanitizing user input and properly escaping output.
- Regularly audit and review code for vulnerabilities, including XSS vulnerabilities, as part of the development process.
- Consider using security plugins or web application firewalls (WAFs) to monitor and block XSS attacks and other malicious activity.
- Stay informed about emerging security threats and best practices in WordPress security by participating in security communities and following reputable security resources.
By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Enhanced Text Widget.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
