LearnPress, a popular WordPress plugin for creating and managing online courses, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10010. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which is then stored and executed when the settings are viewed. The injected script can create a backdoor, allowing the attacker to take control of the site and escalate privileges, leading to a full account takeover. With over 100,000 active installations, this vulnerability poses a significant security risk to WordPress sites that rely on LearnPress for managing educational content.
| CVE | CVE-2024-10010 |
| Plugin | LearnPress < 4.2.7.2 |
| Critical | High |
| All Time | 6 123 174 |
| Active installations | 100 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10010 https://wpscan.com/vulnerability/8a258d33-a354-4cbb-bfcb-31b7f1b1a036/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 14, 2024 | Plugin testing and vulnerability detection in the LearnPress have been completed |
| October 14, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-10010 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the LearnPress plugin. It was found that the plugin fails to properly sanitize user inputs in the “Decimal separator” field under the General Settings page. This oversight allows an attacker with editor-level access to inject malicious JavaScript code, such as <img src=x onerror=alert(1)>, into this field. Once saved, the malicious payload is stored in the plugin’s settings. When an administrator or editor accesses the settings page again, the malicious JavaScript is executed in the browser, potentially leading to session hijacking, data theft, or backdoor account creation. The vulnerability is exacerbated by the fact that editors and administrators are often granted unfiltered_html capability, allowing them to insert untrusted content that could be used for XSS attacks.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common and dangerous types of security flaws found in web applications. XSS occurs when an attacker is able to inject malicious JavaScript code into a web page, which is then executed in the browsers of users who view the page. These scripts can steal sensitive data, hijack user sessions, or escalate privileges on the site. A well-known example of XSS in WordPress is the vulnerability found in the WPForms plugin, where an attacker could inject scripts into form fields, leading to session hijacking and unauthorized access. Similarly, CVE-2024-10010 exploits improper input sanitization in LearnPress, where a simple script injection into the “Decimal separator” field can create a security breach.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-10010 is straightforward. An attacker with editor-level access:
POC:
You should create a new course and go to this page. Go to General Settings and change "Decimal separator" field to <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-10010 are severe. A successful exploitation could allow an attacker to hijack an administrator’s session or escalate their privileges to create a backdoor admin account. This would grant the attacker full control over the WordPress site, allowing them to steal sensitive user data, alter content, install malicious plugins, or perform other unauthorized actions. In a real-world scenario, an attacker could use this backdoor to manipulate course content, steal student data, or redirect users to malicious websites. For sites that handle sensitive information, such as e-commerce platforms or educational websites, this vulnerability could lead to significant data breaches, financial losses, and reputational damage. Moreover, the vulnerability could be used as a gateway for further attacks, potentially compromising other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10010, administrators should immediately update LearnPress to the latest version as soon as a patch is available. Additionally, administrators should review user roles and restrict editor-level users from accessing sensitive settings such as the “Decimal separator” field. Sanitizing all user inputs, particularly in fields that control settings, is essential to prevent XSS attacks. Furthermore, administrators should disable the unfiltered_html capability for non-admin users to limit their ability to inject untrusted JavaScript into the site. Implementing Content Security Policies (CSP) and conducting regular security audits will also help detect and block such vulnerabilities before they can be exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10010, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
