CVE-2024-10551 – Sticky Social Icons – Stored XSS to Backdoor Creation – POC

It was recently discovered that the “Sticky Social Icons” plugin, used to integrate customizable social media buttons, contains a vulnerability CVE-2024-10551. This flaw allows attackers to carry out attacks using stored cross-site scripting (XSS), which can potentially lead to the creation of a backdoor and further compromise of vulnerable websites. Since the plugin is currently closed for download and update, understanding this vulnerability is crucial for both prevention and elimination.

CVE	CVE-2024-10551
Plugin	Sticky Social Icons <= 1.2.1
Critical	Low
All Time	61 806
Active installations	10 000+
Publicly Published	November 18, 2024
Last Updated	November 18, 2024
Researcher	Artyom Krugov
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10551 https://wpscan.com/vulnerability/cd1aea4a-e5a6-4f87-805d-459b293bbf28/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

Discovery of the Vulnerability

The vulnerability in the “Sticky Social Icons” plugin was uncovered during a routine security assessment. Researchers identified that the plugin’s configuration settings failed to properly sanitize user inputs. Specifically, the URL field in the Icon parameter was vulnerable to malicious payloads. This oversight opened the door for attackers to inject JavaScript code, which would execute whenever the affected icon was interacted with.

Understanding of XSS attack’s

Stored XSS vulnerabilities occur when malicious scripts are injected into a target system and saved permanently. In WordPress, such flaws often arise due to inadequate input validation or output encoding in plugin or theme code.

Exploiting the XSS Vulnerability

To exploit this vulnerability, an attacker would need access to the WordPress admin panel, either through brute-forcing credentials or leveraging another vulnerability. Once logged in, the attacker would:

POC:

1. Navigate to the “Sticky Social Icons” settings.
2. Go to the “Icons” section.
3. Select an icon and modify the “Selected Icons” option.
4. Input a malicious payload into the URL field.
5. Save the changes.

For example, in this case, a payload like:

PoC: http://123.123"onmouseover='alert(1)'

____

could be inserted into the URL field of an icon, allowing the script to execute when a user interacts with the icon. This seemingly innocuous behavior can escalate into a full-scale attack, where the injected script is used to steal cookies, capture credentials, or create a backdoor for persistent access.

Recommendations for Improved Security

To reduce the risks associated with CVE-2024-10551, it is important for WordPress administrators not to use the Sticky Social Icons plugin as the vulnerability has not been fixed. Administrators should also check user permissions to ensure that non-administrator users (such as editors) do not have access to sensitive settings that could lead to XSS vulnerabilities. The plugin must process all user input, especially in the form verification fields, to prevent the introduction of malicious scripts. In addition, administrators should limit the ability to use unfiltered_html for users who are not trusted, and use security plugins to search for vulnerabilities in WordPress plugins and themes. Implementing a Content Security Policy (CSP) can also help mitigate the effects of any successful XSS attacks by blocking the execution of unreliable scenarios. To prevent this type of attack, the supplier used our prevention methods.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10551, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.