ProfilePress is a popular WordPress plugin used for creating and managing user login, registration, and profile forms. It provides features to enhance user experience and website functionality. However, a critical vulnerability, CVE-2024-10517, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “User Login” field of a new form, which is then stored and executed on the site. The vulnerability can lead to account takeover and the creation of a backdoor for the attacker, compromising the integrity of the WordPress installation. With over 200,000 active installations, this vulnerability represents a significant security risk for websites using ProfilePress.
| CVE | CVE-2024-10517 |
| Plugin | ProfilePress < 4.15.15 |
| Critical | High |
| All Time | 13 713 174 |
| Active installations | 200 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10517 https://wpscan.com/vulnerability/f7c3a990-458e-4e15-b427-0b37de120740/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 2, 2024 | Plugin testing and vulnerability detection in the ProfilePress have been completed |
| October 2, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-10517 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of ProfilePress. The issue lies in the way the plugin handles input in the “Label” field of the “User Login” form field. The plugin fails to sanitize this input properly, allowing attackers to inject JavaScript code into the label field. When the form is rendered, the injected JavaScript executes, potentially allowing the attacker to hijack user sessions, steal sensitive data, or escalate their privileges to create a backdoor admin account. The vulnerability is particularly concerning because it can be exploited by users with any role, including those with minimal privileges, such as contributors or editors.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are a common and dangerous class of flaws in web applications, including WordPress plugins. XSS occurs when an attacker is able to inject malicious scripts into web pages, which are then executed in the browser of any user viewing the page. This can lead to various attacks, such as session hijacking, credential theft, and privilege escalation. A real-world example of an XSS vulnerability in WordPress occurred in the WPForms plugin, where attackers could inject malicious scripts into form fields, allowing them to steal cookies and hijack sessions. Similarly, CVE-2024-10517 exploits the failure of ProfilePress to properly sanitize the “Label” field in the user login form, allowing attackers to inject harmful scripts that can be executed when the form is viewed.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-10517 is straightforward. An attacker with editor-level access:
POC:
Create a new Form. You should edit "User Login" Field and change "Label" field to "Malicious JS code eval() and etc. For example <img src=x oenrror=alert(1)> -> Save Settings -> Take a new shortcode of form and create new post with it (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-10517 are severe. A successful exploit could allow an attacker to hijack user sessions, including admin sessions, which would grant them full control over the WordPress site. This could lead to a variety of malicious actions, such as altering site content, stealing sensitive user information, installing malware, or spreading malicious scripts. In a real-world scenario, an attacker could use the backdoor created through this vulnerability to gain persistent access to the site, even if the admin changes their password. For websites that handle sensitive data, such as e-commerce sites or membership platforms, this vulnerability could lead to data breaches, financial losses, and significant reputational damage. Additionally, the vulnerability could be used as part of a multi-stage attack, where the attacker compromises the WordPress site and then spreads further attacks to other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10517, WordPress administrators should immediately update ProfilePress to the latest version once a patch is released. It is also important to restrict user roles and ensure that only trusted users have access to form settings that could be used to inject malicious code. Sanitizing all user inputs, particularly in fields like the “Label” field, is essential to prevent XSS attacks. Administrators should also consider disabling the unfiltered_html capability for non-admin users, especially editors and contributors, to prevent them from injecting JavaScript into posts or plugin settings. Regular security audits, the use of security plugins, and the implementation of Content Security Policies (CSP) can further help to detect and mitigate the impact of such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10517, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
