ProfilePress, a popular WordPress plugin used for user registration, login forms, and membership management, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10518. This flaw allows an attacker to inject malicious JavaScript into the plugin’s settings, particularly in the “Name” field of the Membership Plan configuration. When executed, the injected JavaScript can create a backdoor, allowing the attacker to take control of the WordPress site. With over 200,000 active installations, this vulnerability poses a significant security threat to a large number of WordPress sites.
| CVE | CVE-2024-10518 |
| Plugin | ProfilePress < 4.15.15 |
| Critical | High |
| All Time | 13 713 174 |
| Active installations | 200 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10518 https://wpscan.com/vulnerability/a1e5ad16-6240-4920-888a-36fbac22cc71/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 2, 2024 | Plugin testing and vulnerability detection in the ProfilePress have been completed |
| October 2, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-10518 |
Discovery of the Vulnerability
The vulnerability was discovered during a security assessment of the ProfilePress plugin. It was found that the plugin does not properly sanitize user inputs, particularly in the “Name” field within the “Product Files” section when creating a new membership plan. This oversight allows an attacker with editor privileges or higher to inject JavaScript into this field. Once the settings are saved, the malicious JavaScript is stored and executed when the relevant page is viewed. The flaw is compounded by the fact that administrators and editors are typically granted the unfiltered_html capability, which allows them to insert JavaScript into posts, pages, and plugin settings, making this vulnerability particularly easy to exploit by users with low-level access.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous types of vulnerabilities in web applications. XSS vulnerabilities allow attackers to inject malicious scripts into web pages, which are then executed in the browsers of users who view the page. These scripts can perform a range of malicious activities, including stealing session cookies, hijacking user accounts, and executing arbitrary commands on the site. A real-world example of XSS exploitation in WordPress occurred with the WPForms plugin, where attackers could inject malicious scripts into form fields, which were then executed when the form was displayed. Similarly, CVE-2024-10518 exploits improper input sanitization in ProfilePress, allowing low-privileged users to inject JavaScript into the plugin settings, which is then executed when viewed by other users.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-10518 is straightforward. An attacker with editor-level access:
POC:
Create a new Membership Plan. You should change "Name" field in Product Files section to "Malicious JS code eval() and etc. For example 123"onmouseover=alert(11251)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-10518 are significant. If exploited, this vulnerability could allow an attacker to hijack user sessions, steal sensitive information, or escalate their privileges to gain full administrative control over the site. In a real-world scenario, an attacker could create a backdoor admin account, giving them complete control over the WordPress site. They could then alter content, install malicious plugins, or steal personal and financial data from users. For e-commerce sites, membership platforms, or any site handling sensitive data, this vulnerability could result in severe data breaches, financial losses, and reputational damage. Furthermore, once an attacker gains admin access, they could propagate the attack across other connected systems, compromising the integrity of the entire network.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10518, it is essential for WordPress administrators to update the ProfilePress plugin to the latest version as soon as a patch is released. Site administrators should review user permissions, particularly for editors, to ensure that they do not have access to sensitive plugin settings, such as the “Name” field in the “Product Files” section. Sanitizing all user inputs before they are stored and rendered on the site is critical to preventing XSS attacks. Additionally, restricting the unfiltered_html capability for non-admin users can prevent them from injecting JavaScript into plugin settings or posts. Regular security audits and the use of security plugins that scan for XSS vulnerabilities can help protect the site from such attacks. Implementing Content Security Policies (CSP) can also prevent untrusted scripts from executing, even if they are injected into the site. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10518, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
