Max Buttons, a popular WordPress plugin for creating customizable buttons, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10555. This flaw allows an attacker with editor-level access to inject malicious JavaScript into the plugin’s settings. The injected script is stored and executed when the plugin settings are accessed. This can lead to account takeover, where an attacker can escalate their privileges and potentially create a backdoor admin account, giving them full control of the site. With over 100,000 active installations, this vulnerability represents a significant security risk for WordPress users.
| CVE | CVE-2024-10555 |
| Plugin | MaxButtons < 9.8.1 |
| Critical | High |
| All Time | 4 894 512 |
| Active installations | 100 000+ |
| Publicly Published | November 9, 2024 |
| Last Updated | November 9, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10555 https://wpscan.com/vulnerability/fcc97635-e939-4cb4-9851-6f6ac4f6ad47/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| July 9, 2024 | Plugin testing and vulnerability detection in the Max Buttons have been completed |
| July 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 9, 2024 | Registered CVE-2024-10555 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of Max Buttons. It was found that the plugin fails to properly sanitize input in the “button_width” field during the creation of a new button. This field, which is meant to define the width of the button, can be exploited to inject JavaScript. When the settings are saved, the injected script is stored and executed when the settings page is revisited. The flaw stems from improper input sanitization, allowing malicious users to insert unfiltered JavaScript code into a field that is not properly protected. This issue is compounded by the fact that the unfiltered_html capability is often granted to admin and editor-level users, enabling the attack to be easily executed by low-privileged users.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most prevalent vulnerabilities in web applications. It occurs when an attacker injects malicious scripts into web pages viewed by others. These scripts can steal sensitive information, hijack sessions, or even escalate privileges. In WordPress, XSS vulnerabilities are often found in plugins and themes that fail to properly sanitize user input, especially in fields like forms or settings where users can provide dynamic content. A well-known example of XSS in WordPress is the vulnerability found in the Contact Form 7 plugin, where attackers could inject malicious JavaScript into form fields, allowing for session hijacking and unauthorized actions. Similarly, CVE-2024-10555 exploits improper sanitization in Max Buttons, allowing an attacker to inject a malicious script into the “button_width” field, which is executed when the settings are loaded.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10555, an attacker with editor-level privileges:
POC:
You should go to creation of new Button. Change "button_width" field to 160"+onmouseover=alert(1)// -> Save Settings____
The risks associated with CVE-2024-10555 are significant. If exploited, an attacker could hijack an admin’s session, gaining full control over the WordPress site. This could lead to various malicious actions, including altering content, installing malicious plugins, or stealing sensitive user data. In a real-world scenario, an attacker could use the backdoor created through this vulnerability to perform a range of attacks, such as defacing the site, altering user permissions, or even taking the site offline. For sites handling sensitive information, such as e-commerce or membership sites, this vulnerability could lead to data breaches, financial losses, and reputational damage. Moreover, this flaw could be used as part of a broader attack, with the attacker leveraging the compromised site to target other systems or websites.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10555, administrators should immediately update Max Buttons to the latest version once a patch is available. Additionally, site administrators should review and limit editor-level access to plugin settings that can be exploited for XSS attacks. Sanitizing all user inputs, particularly in fields like “button_width,” is essential to prevent malicious scripts from being injected and executed. Disabling the unfiltered_html capability for non-admin users is also crucial in preventing unauthorized users from injecting JavaScript into plugin settings. Implementing Content Security Policies (CSP) can further help mitigate the impact of any successful XSS attacks by blocking the execution of untrusted scripts. Regular security audits and using security plugins that scan for XSS vulnerabilities should also be part of a comprehensive security strategy for WordPress sites. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10555, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
