CVE-2024-0951 exposes WordPress sites to Stored XSS attacks via the Advanced Social Feeds Widget & Shortcode plugin. This flaw allows attackers to execute malicious scripts, potentially leading to account takeover. Here’s what you need to know:
Main info:
CVE | CVE-2024-0951 |
Plugin | Advanced Social Feeds Widget & Shortcode <= 1.7 |
Critical | High |
All Time | 17 011 |
Active installations | 3 000+ |
Publicly Published | February 20, 2023 |
Last Updated | February 20, 2023 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0951 https://wpscan.com/vulnerability/88b2e479-eb15-4213-9df8-3d353074974e/ |
Plugin Security Certification by CleanTalk | |
Timeline
January 19, 2023 | Plugin testing and vulnerability detection in the Advanced Social Feeds Widget & Shortcode have been completed |
January 19, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
February 20, 2023 | Registered CVE-2024-0951 |
Discovery of the Vulnerability
During rigorous testing of the Advanced Social Feeds Widget & Shortcode plugin, security researchers stumbled upon a dangerous flaw. It was revealed that the plugin’s design allows attackers to execute malicious scripts via Stored XSS, posing a serious threat to website security. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities are a nightmare for website security. They enable attackers to inject malicious scripts into web pages, which are then executed when unsuspecting users interact with the compromised content. This can lead to a range of devastating consequences, including account takeover, data theft, and malware distribution.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2024-0951, attackers can leverage the plugin’s widget feature. By embedding a specially crafted payload into the “CSS” field of a new widget, they can execute arbitrary JavaScript code when unsuspecting users interact with the compromised page. The potential for damage is significant.
POC:
- When creating a new widget, insert the following payload in the “CSS” field – ” onmouseover=”alert(/XSS/)”
___
The exploitation of this vulnerability poses severe risks to WordPress sites. Attackers could hijack user sessions, steal sensitive data, deface websites, or even take control of administrator accounts. Furthermore, if an attacker has previously compromised an administrator or editor account, they can establish a persistent backdoor for continued access.
Recommendations for Improved Security
In light of CVE-2024-0951, it’s imperative that WordPress site owners take immediate action to protect their websites. Firstly, conduct regular security audits of your plugins, adhere to secure coding practices, and implement robust security measures to fortify your WordPress ecosystem.
By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Advanced Social Feeds Widget & Shortcode.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.