A critical vulnerability, CVE-2024-0673, has been uncovered in the Pz-LinkCard plugin for WordPress. This flaw allows for the execution of Stored Cross-Site Scripting (XSS) attacks, enabling malicious actors to create JavaScript backdoors and potentially compromise admin accounts. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Main info:
| CVE | CVE-2024-0673 |
| Plugin | Pz-LinkCard <= 2.5.1 |
| Critical | High |
| All Time | 569 850 |
| Active installations | 30 000+ |
| Publicly Published | March 7, 2023 |
| Last Updated | March 7, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0673 https://wpscan.com/vulnerability/d80e725d-356a-4997-a352-33565e291fc8/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| February 15, 2023 | Plugin testing and vulnerability detection in the Pz-LinkCard have been completed |
| February 15, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 7, 2024 | Registered CVE-2024-0673 |
Discovery of the Vulnerability
During routine testing, security researchers identified a vulnerability in the Pz-LinkCard plugin that permits the injection of malicious XSS payloads via the settings page. This vulnerability exposes admin-level privileges, making it a significant security concern for WordPress website owners.
Understanding of Stored XSS attack’s
Stored XSS involves injecting malicious scripts into a website’s database, which are then executed when specific actions are performed. In WordPress, this can occur through input fields, such as those found in plugin settings pages. Real-world examples of Stored XSS attacks include injecting malicious scripts into comment forms or input fields, leading to the execution of arbitrary code when viewed by other users.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2024-0673, an attacker inserts a crafted XSS payload into the “Class ID to be Added (for PC)” field within the “Advanced” category of the plugin settings. This payload is then executed when an admin accesses the affected page, potentially leading to the creation of a JavaScript backdoor.
POC:
- Go to http://your_site/wordpress/wp-admin/options-general.php?page=pz-linkcard-settings to “Advanced” category, insert the following payload in the “Class ID to be Added (for PC)” field
___
The risk posed by this vulnerability is severe, as it allows attackers to gain unauthorized access to admin accounts, compromising the entire WordPress website. With admin-level privileges, attackers can execute arbitrary code, steal sensitive data, or even plant persistent backdoors for future exploitation.
Recommendations for Improved Security
To mitigate the risk associated with CVE-2024-0673 and similar vulnerabilities, WordPress website owners should delete the Pz-LinkCard plugin. Additionally, implementing robust input validation and output sanitization techniques in plugin development can help prevent XSS vulnerabilities. Regular security audits and monitoring of plugin updates are also recommended to ensure the ongoing security of WordPress websites. Use WAF fro WEB applications
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-0673, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
