Tracking Code Manager, a widely used WordPress plugin by Data443, allows users to manage and customize third-party tracking codes and scripts on their WordPress sites. The plugin is known for its simplicity and compliance with privacy laws, offering features like tracking pixel placement, regional blocking, and seamless integration with e-commerce platforms. However, a critical stored Cross-Site Scripting (XSS) vulnerability has been identified in versions below 2.4.0, potentially exposing websites to serious security risks.
This vulnerability enables users with Contributor or higher roles to inject malicious scripts into the site, which can compromise the security and integrity of the affected WordPress installation. In this article, we’ll explore the discovery, exploitation, potential risks, and recommendations for mitigating this issue.
| CVE | CVE-2024-10309 |
| Plugin | Tracking Code Manager |
| Critical | High |
| All Time | 2 382 500 |
| Active installations | 100 000+ |
| Publicly Published | October 3, 2024 |
| Last Updated | October 3, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10309 https://wpscan.com/vulnerability/9eb21250-34bd-4600-a0a5-7c5117f69f04/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 3, 2024 | Plugin testing and vulnerability detection in the Category Posts Widget have been completed |
| October 3, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 9, 2025 | Registered CVE-2024-10309 |
Discovery of the Vulnerability
The vulnerability in Tracking Code Manager was discovered during a routine security audit. Researchers identified that users with Contributor+ privileges could exploit the plugin’s settings and metabox functionality to inject malicious HTML and JavaScript code. The issue stems from insufficient validation and sanitization of inputs in the custom tracking code fields.
Understanding of XSS attack’s
Stored XSS, also known as persistent XSS, occurs when malicious scripts are injected into a website’s database and subsequently executed in the browser of any user viewing the affected page. Unlike reflected XSS, stored XSS can impact a broader audience and have more severe consequences.
In the context of WordPress, stored XSS vulnerabilities often arise from poorly implemented input sanitization or insufficient access control. Attackers leverage such flaws to:
- Steal sensitive information (e.g., cookies, session tokens).
- Redirect users to phishing or malicious sites.
- Execute administrative actions on behalf of logged-in users.
Real-world examples of XSS attacks include defacements, credential theft, and malware distribution, making it crucial for WordPress administrators to address such vulnerabilities promptly.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-10309 requires minimal technical knowledge and can be carried out as follows:
POC:
- A user with Contributor+ privileges accesses the “Add New Post” interface.
- In the post editor, they interact with the “Tracking Code by Data443” block in the settings panel.
- The attacker creates a custom tracking code, inserting a malicious payload like:
Payload: "><script></script><img src=x onerror=alert(54321)>
- The post is submitted for review, storing the payload in the WordPress database.
- When the post is rendered, the payload executes, compromising the browser of any user accessing the page.
____
This exploitation path demonstrates how insufficient input validation can be abused to introduce malicious code into a trusted environment.
Recommendations for Improved Security
To address and mitigate the risks of CVE-2024-10309, administrators and developers should follow these recommendations:
- Update the Plugin: Upgrade to version 2.4.0 or later of Tracking Code Manager, as this issue has been patched in the latest release.
- Restrict User Roles: Limit the use of Contributor+ roles to trusted users only.
- Input Validation and Sanitization: Ensure all user inputs, particularly those involving HTML or JavaScript, are validated and sanitized to prevent injection attacks.
CVE-2024-10309 highlights the importance of proper input validation and user role management in WordPress plugins. While Tracking Code Manager offers powerful features for managing tracking scripts, its earlier versions exposed websites to significant security risks. By updating to the latest version and following best practices, WordPress administrators can ensure the safety and integrity of their sites.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10309, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.
