CVE-2024-0973 – Widget for Social Page Feeds – Stored XSS – POC

Beware WordPress users! A critical vulnerability has been unearthed in the Widget for Social Page Feeds plugin, tagged as CVE-2024-0973. This flaw poses a significant risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to admin account creation via XSS and compromising your website’s security. Stay informed and take necessary precautions to safeguard your WordPress installations. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVE	CVE-2024-0973
Plugin	Widget for Social Page Feeds < 6.4
Critical	High
All Time	1 463 068
Active installations	80 000+
Publicly Published	February 20, 2023
Last Updated	February 20, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0973 https://wpscan.com/vulnerability/798de421-4814-46a9-a055-ebb95a7218ed/
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

During rigorous testing of the Widget for Social Page Feeds plugin, security researchers stumbled upon a vulnerability that allows threat actors to execute Stored XSS attacks. By leveraging this vulnerability, attackers can embed malicious scripts via the plugin’s widget on a webpage.

Understanding of Stored XSS attack’s

Stored Cross-Site Scripting (XSS) is a type of vulnerability that arises when user-supplied data is stored on a web server and later displayed to other users without proper sanitization. In WordPress, this vulnerability can be exploited through various entry points, such as input fields, forms, and widgets. Attackers inject malicious scripts, which are then executed within the context of other users’ browsers, leading to unauthorized actions and potential compromise of sensitive data.

Exploiting the Stored XSS Vulnerability

To exploit the Stored XSS vulnerability in the Widget for Social Page Feeds plugin, attackers can inject malicious scripts into the “Custom CSS” field when creating a new widget. These scripts can include payloads designed to trigger actions such as pop-up alerts, redirection to malicious websites, or the theft of sensitive information.

POC:

1. When creating a new widget, insert the following payload in the “Custom CSS” field – ” onmouseover=”alert(/XSS/)”

___

The ramifications of this vulnerability are far-reaching. High-privilege users, including administrators and editors, can abuse the flaw to execute arbitrary code within the context of a user’s browser. This could lead to account takeover incidents, unauthorized access to sensitive data, and the planting of backdoors for persistent access to compromised WordPress sites.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2024-0973 and similar vulnerabilities, WordPress site administrators are strongly advised to:

• Immediately update the Widget for Social Page Feeds plugin to the latest patched version.
• Regularly monitor plugin updates and security advisories from reputable sources.
• Implement strict input validation and output sanitization practices to prevent XSS vulnerabilities.
• Educate users about the importance of safe browsing habits and the risks associated with clicking on suspicious links or executing untrusted code.

By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Widget for Social Page Feeds.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.