During the assessment of the Buttons Shortcode and Widget plugin for WordPress, a critical vulnerability was uncovered. It was observed that the plugin allowed the execution of Stored Cross-Site Scripting (XSS) attacks via shortcode embedding. This flaw enables contributors and users with higher privileges to inject malicious scripts into new posts or pages using the plugin’s shortcode functionality.
Main info:
| CVE | CVE-2024-0711 |
| Plugin | Buttons Shortcode and Widget <= 1.16 |
| Critical | High |
| All Time | 164 184 |
| Active installations | 5 000+ |
| Publicly Published | February 20, 2023 |
| Last Updated | February 20, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0711 https://wpscan.com/vulnerability/8e286c04-ef32-4af0-be78-d978999b2a90/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| January 8, 2023 | Plugin testing and vulnerability detection in the Buttons Shortcode and Widget have been completed |
| January 8, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 20, 2023 | Registered CVE-2024-0711 |
Discovery of the Vulnerability
In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding malicious script, which entails account takeover
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when user input is not properly sanitized or validated before being stored in the database and later displayed on web pages. In the context of WordPress, this vulnerability allows attackers to embed malicious scripts into content creation elements such as posts, pages, or widgets. When unsuspecting users view the compromised content, the injected scripts execute in their browsers, potentially leading to account takeover, data theft, or other malicious activities. Real-world examples include injecting malicious JavaScript code into form fields, buttons, or other interactive elements using shortcodes.
Exploiting the Stored XSS Vulnerability
To exploit this vulnerability, an attacker could craft a malicious shortcode payload and embed it within a new post or page using the plugin’s shortcode syntax. Upon viewing the compromised content, unsuspecting users trigger the execution of the malicious script, which can perform actions such as stealing session cookies, redirecting users to phishing sites, or executing arbitrary code on the victim’s browser. In the provided POC payload, the attacker utilizes the onmouseover event to trigger an alert message, demonstrating the potential impact of the vulnerability.
POC:
- [otw_shortcode_button href=”http://9ml” size=”medium” icon_position=”left” shape=”square” icon_url=”http://9ml” color_class=”otw-pink” css_class='” onmouseover=”alert(/XSS/)”‘ target=”_blank”]123[/otw_shortcode_button]
___
The vulnerability exposes websites to various risks and real-world scenarios, including:
- Unauthorized access to sensitive user data, such as cookies or session tokens.
- Phishing attacks targeting site visitors to steal credentials or sensitive information.
- Website defacement or redirection to malicious domains.
- Injection of malicious code to compromise site integrity or spread malware. In a real-world scenario, an attacker could leverage the vulnerability to compromise the accounts of unsuspecting users, leading to unauthorized access, data breaches, or reputational damage for affected websites.
Recommendations for Improved Security
To mitigate the risk posed by this vulnerability and enhance the security of WordPress websites, the following recommendations are advised:
- Implement robust input validation and output sanitization techniques to prevent the execution of malicious scripts via shortcodes.
- Regularly update and patch vulnerable plugins and themes to address security flaws and vulnerabilities.
- Educate website administrators and content creators about the risks of XSS vulnerabilities and encourage best practices for secure coding and content creation.
- Utilize security plugins or tools to automatically scan for and detect XSS vulnerabilities in WordPress websites.
- Consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS attacks by restricting the execution of inline scripts and external resources.
By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Buttons Shortcode and Widget.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
