During testing of the Tabs Shortcode and Widget plugin for WordPress, a security vulnerability was discovered that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability arises from the plugin’s failure to properly validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is embedded. As a result, users with the contributor role and above can exploit this flaw to execute malicious scripts, potentially leading to account takeover and compromise of the website.
Main info:
| CVE | CVE-2024-0719 |
| Plugin | Tabs Shortcode and Widget <= 1.17 |
| Critical | High |
| All Time | 52 187 |
| Active installations | 2 000+ |
| Publicly Published | February 20, 2023 |
| Last Updated | February 20, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0719 https://wpscan.com/vulnerability/6e67bf7f-07e6-432b-a8f4-aa69299aecaf/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| January 9, 2023 | Plugin testing and vulnerability detection in the Tabs Shortcode and Widget have been completed |
| January 9, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 20, 2023 | Registered CVE-2024-0719 |
Discovery of the Vulnerability
In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities via shortcode occur when user-supplied input within shortcode attributes is not properly sanitized before being rendered on the front-end of a WordPress website. This allows attackers to inject malicious scripts into the shortcode attributes, which are then executed when the shortcode is rendered on a page or post. Real examples of this vulnerability include embedding malicious JavaScript code within shortcode attributes such as title, content, or custom parameters, leading to the execution of arbitrary scripts in the context of other users’ sessions.
Exploiting the Stored XSS Vulnerability
To exploit the CVE-2024-0719 vulnerability in the Tabs Shortcode and Widget plugin, an attacker with the contributor role or above can create a new post or page and embed the malicious shortcode containing the XSS payload. The payload is designed to execute arbitrary JavaScript code when the page or post is viewed by other users. By leveraging this vulnerability, an attacker can potentially hijack user sessions, steal authentication tokens, and perform unauthorized actions on behalf of other users.
POC shortcode:
- [otw_shortcode_tabslayout tabs=”2″ title=”234″ tab_1_title=”34″ tab_1_icon_url=”http://123″ tab_1_content=”23″ tab_2_title=”123″ tab_2_icon_type=”general foundicon-page” tab_2_icon_url=”123″ tab_2_content=”123″ css_class='” onmouseover=”alert(/XSS/)”‘ css_id='” onmouseover=”alert(/XSS/)”‘][/otw_shortcode_tabslayout]
___
The CVE-2024-0719 vulnerability poses a significant risk to WordPress websites and their users. In real-world scenarios, attackers can exploit this vulnerability to perform a wide range of malicious activities, including but not limited to:
- Theft of sensitive information such as user credentials, session tokens, and personal data.
- Defacement of website content by injecting malicious scripts or content into posts or pages.
- Distribution of malware or phishing content to unsuspecting website visitors.
- Hijacking user sessions to perform unauthorized actions on behalf of authenticated users, such as modifying account settings, posting malicious content, or initiating financial transactions.
Recommendations for Improved Security
To mitigate the risk associated with CVE-2024-0719 and similar vulnerabilities related to Stored XSS via shortcode, the following recommendations are provided:
- Implement strict input validation and output escaping in all WordPress plugins and themes to prevent XSS attacks, especially within shortcode attributes.
- Educate developers about secure coding practices, including the importance of sanitizing user input and properly escaping output, particularly in the context of shortcode attributes.
- Regularly audit and review code for vulnerabilities, including XSS vulnerabilities, as part of the development process.
- Consider using security plugins or web application firewalls (WAFs) to monitor and block XSS attacks and other malicious activity.
- Stay informed about emerging security threats and best practices in WordPress security by participating in security communities and following reputable security resources.
By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Tabs Shortcode and Widget.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
