Everest Forms, a popular plugin for creating forms in WordPress, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10471. This vulnerability allows attackers with editor-level privileges to inject malicious JavaScript code into the plugin’s form settings, which could lead to account takeover and the creation of backdoors. Given the large user base of Everest Forms, with over 6 million active installations, this vulnerability poses a significant threat to the security of many WordPress websites.
| CVE | CVE-2024-10471 |
| Plugin | Everest Forms < 3.0.4.2 |
| Critical | High |
| All Time | 6 451 124 |
| Active installations | 100 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10471 https://wpscan.com/vulnerability/85d590c9-c96d-40c9-aa59-48302ba3d63c/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 21, 2024 | Plugin testing and vulnerability detection in the Everest Forms have been completed |
| October 21, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10471 |
Discovery of the Vulnerability
The flaw was discovered during a security audit of the Everest Forms plugin. It was found that the plugin fails to properly sanitize the “Custom Required Message” field within the Email block settings. This field is intended for custom validation messages, but due to inadequate input validation, an attacker with editor privileges can inject malicious JavaScript. The vulnerability allows for the storage of this malicious script, which is then executed when the form is accessed or submitted. This lack of proper input sanitization makes it possible for an attacker to exploit the vulnerability by embedding harmful scripts into the form settings.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous security flaws in web applications. XSS occurs when an attacker is able to inject and execute malicious scripts in the context of another user’s browser. These scripts can steal sensitive data, perform actions on behalf of the user, or escalate privileges. In the case of WordPress, plugins that allow user-generated content or form submissions are often the targets of XSS attacks.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10471, an attacker must have editor-level privileges, which can be exploited to insert a malicious script into the form settings.
POC:
You should create a new form. Add here Email block and change "Custom Required Message" field in main settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-10471 are high. If an attacker successfully exploits the vulnerability, they could gain unauthorized access to the website’s backend by stealing admin credentials or cookies. This could allow them to create an admin account, modify form data, or redirect users to phishing sites. For websites with sensitive data or e-commerce functionality, this could result in severe consequences, including data theft, financial loss, or reputational damage. In addition, the backdoor access could be used as a foothold for further attacks on the website or its users, making it crucial for administrators to patch the vulnerability as soon as possible.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10471, WordPress site administrators should immediately update Everest Forms to the latest patched version. They should also carefully review user roles and permissions, ensuring that editors and other non-admin users cannot access sensitive settings that could be exploited. Additionally, the plugin should implement proper input validation and sanitization for all user inputs, particularly in fields like “Custom Required Message.” Disabling the unfiltered_html capability for non-trusted users and employing security plugins to scan for vulnerabilities can further reduce the attack surface. Lastly, using a Content Security Policy (CSP) can help limit the execution of untrusted scripts and mitigate the damage caused by successful XSS attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10471, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
