The MailPoet plugin, widely used for newsletter management, email marketing, and automation in WordPress, has been found to contain a severe security vulnerability. This vulnerability, identified as CVE-2024-10103, allows an attacker to execute a Stored Cross-Site Scripting (XSS) attack through the “Custom HTML” block when creating a new form. The flaw grants the attacker the ability to embed malicious JavaScript code, leading to account takeover and backdoor creation. With over 700,000 active installations, this vulnerability poses a significant risk to WordPress sites that utilize the plugin.
| CVE | CVE-2024-10103 |
| Plugin | MailPoet – Newsletters, Email Marketing, and Automation < 5.3.2 |
| Critical | High |
| All Time | 49 231 612 |
| Active installations | 700 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10103 https://wpscan.com/vulnerability/89660883-5f34-426a-ad06-741c0c213ecc/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 30, 2024 | Plugin testing and vulnerability detection in the MailPoet – Newsletters, Email Marketing, and Automation have been completed |
| September 30, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-10103 |
Discovery of the Vulnerability
During a security audit of the MailPoet plugin, researchers discovered that the plugin improperly sanitized user inputs within the form creation interface. By exploiting this vulnerability, an attacker with editor-level permissions can inject malicious scripts into the “Custom text” field in the “Custom HTML” block. Once the form is previewed and saved, the malicious code becomes embedded in the plugin’s settings, where it can be triggered when the form is accessed, allowing the attacker to execute arbitrary JavaScript on the affected site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities affecting web applications, including WordPress. XSS allows attackers to inject malicious scripts into trusted websites, which are then executed in the browsers of unsuspecting users. For WordPress, XSS can be used to bypass authentication mechanisms, steal sensitive data, or even alter website content. A well-known example is the XSS vulnerability found in WordPress themes or plugins that allow HTML input without proper sanitization, enabling attackers to execute scripts. The MailPoet vulnerability is a clear reminder that even trusted plugins can be susceptible to XSS, especially when user-generated content is not adequately sanitized.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10103, an attacker would need to create a new form within MailPoet and insert a payload like <img src=x onerror=alert(1)> in the “Custom text” field of a “Custom HTML” block. After clicking “Preview” and saving the form, the malicious JavaScript is embedded within the plugin settings. Since the plugin allows admins and editors to use JavaScript in posts, pages, and comments (due to the unfiltered_html capability), the injected script would execute when the form is previewed or interacted with, potentially compromising the site and enabling backdoor access.
POC:
Create a new Form. You should add new "Custom HTML" block (* you can chose any block and field) change "Custom text" field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)>. Click Preview -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks of CVE-2024-10103 are significant. A successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the WordPress site, either by injecting malicious scripts that steal session cookies or by performing actions on behalf of the administrator. This could lead to account takeover, data breaches, or even remote code execution. In a real-world scenario, a malicious user could exploit the vulnerability to take control of the site, send spam emails through MailPoet, or steal sensitive user data. Given the widespread use of MailPoet across a variety of industries, the real-world impact of this vulnerability is severe, especially for websites that handle personal or financial information.
Recommendations for Improved Security
To address CVE-2024-10103, it is crucial for MailPoet users to update the plugin to the latest version as soon as a patch is made available. In addition, site administrators should review and restrict user roles, ensuring that only trusted users have the unfiltered_html capability, particularly in plugins like MailPoet that handle form inputs. Another important recommendation is to implement Content Security Policies (CSP) to block untrusted scripts and prevent XSS attacks from being executed. Regular security audits and the use of security plugins that scan for XSS vulnerabilities can also help detect and mitigate such risks before they are exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10103, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
