The Giveaways and Contests by RafflePress plugin is a popular tool used by WordPress site owners to manage and run contests, sweepstakes, and giveaways. With over 30,000 active installations, it allows users to boost engagement and traffic by offering incentives to participants. However, a critical vulnerability—CVE-2024-10107—was discovered during testing, which exposes the plugin to a Stored Cross-Site Scripting (XSS) attack. This vulnerability allows malicious actors to inject and execute JavaScript code, enabling them to potentially gain unauthorized access to the site and create backdoors that could compromise the entire platform.
| CVE | CVE-2024-10107 |
| Plugin | Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers < 1.12.17 |
| Critical | High |
| All Time | 471 444 |
| Active installations | 30 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10107 https://wpscan.com/vulnerability/83590cad-6bfb-4dc7-b8fd-aecbc66f3c33/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 24, 2024 | Plugin testing and vulnerability detection in the Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers have been completed |
| September 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-10107 |
Discovery of the Vulnerability
The vulnerability was identified in the “GDPR text” field within the plugin’s settings for a new giveaway. This field is designed to allow users to customize the text displayed on the giveaway page regarding data protection policies. However, the input is not properly sanitized or validated, making it possible for an attacker to inject arbitrary JavaScript code into the field. This flaw enables an attacker to execute malicious scripts when the content is viewed by other users, particularly administrators or editors who have the capability to modify or manage settings.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common web vulnerability that occurs when an attacker can inject malicious scripts into a website, which are then executed in the browser of any user viewing the affected page. In WordPress, this type of vulnerability can be used to steal session cookies, hijack user accounts, deface sites, or even install backdoors. Real-world examples of XSS vulnerabilities in WordPress plugins include incidents like those found in the WPForms plugin, which allowed attackers to execute malicious JavaScript in form entries, leading to unauthorized access and data manipulation. CVE-2024-10107 follows this same pattern, where an attacker can use the vulnerable “GDPR text” field to inject scripts that are later executed when the giveaway page is viewed by an admin or editor.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10107, an attacker with editor+ privileges:
POC:
You should change "GDPR text" field in settings of a new Giveaway to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(121312321213)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks posed by CVE-2024-10107 are significant, especially in environments where the giveaway plugin is used by admins to manage high-traffic contests or user-generated content. In a real-world scenario, an attacker could use this vulnerability to create a backdoor admin account, effectively taking over the site. Once an attacker has admin privileges, they can install malware, redirect traffic, or delete critical site data. This could lead to complete site compromise, making it especially dangerous for e-commerce sites or websites handling sensitive user data. Moreover, because the vulnerability can be triggered without user interaction, it could remain undetected for a long time, giving attackers ample time to cause damage.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10107, it is crucial that users of the Giveaways and Contests by RafflePress plugin immediately update to the latest patched version of the plugin. Developers should implement proper input validation and output encoding to ensure that any data entered into the “GDPR text” field (and similar fields) is sanitized properly, preventing the injection of harmful scripts. Using functions like esc_html() or wp_kses() to escape special characters in user input can prevent the execution of malicious code. Additionally, site administrators should consider restricting the ability to edit giveaway settings to trusted roles and perform regular security audits to check for vulnerabilities. Implementing a Web Application Firewall (WAF) and running vulnerability scans can help detect and mitigate XSS vulnerabilities before they are exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10107, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.