Ultimate Blocks is a popular WordPress plugin that provides a variety of content blocks for Gutenberg. However, a critical vulnerability, CVE-2024-10678, has been discovered in the plugin, which allows for a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables an attacker with contributor privileges to inject malicious JavaScript code into the “Countdown” block of a new post, which is then executed when the post is interacted with. The injected script can lead to account takeover and the creation of a backdoor admin account, posing a serious risk for WordPress websites. With over 50,000 active installations, this vulnerability represents a significant security threat.
| CVE | CVE-2024-10678 |
| Plugin | Ultimate Blocks < 3.2.4 |
| Critical | High |
| All Time | 1 354 142 |
| Active installations | 50 000+ |
| Publicly Published | November 9, 2024 |
| Last Updated | November 9, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10678 https://wpscan.com/vulnerability/9342c6a1-4f9a-45f3-911d-0dfee4657243/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 10, 2024 | Plugin testing and vulnerability detection in the Ultimate Blocks have been completed |
| September 10, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 9, 2024 | Registered CVE-2024-10678 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Ultimate Blocks plugin. It was found that the plugin fails to sanitize user input properly in the “expiryMessage” field of the Countdown block. This oversight allows contributors (who typically have minimal permissions) to inject malicious JavaScript code into the field. The vulnerability occurs when an attacker intercepts the request to submit a new post and modifies the “expiryMessage” field to include a malicious payload, such as \\u0026lt;img src=x onerror=alert(1)\\u0026gt;\\u003c. This input is stored in the WordPress database, and when the post is rendered, the malicious script is executed, potentially allowing the attacker to hijack sessions or escalate privileges to create a backdoor admin account.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a type of vulnerability where an attacker is able to inject malicious scripts into web pages that are then executed by the browser of the person viewing the page. XSS vulnerabilities are commonly found in web applications that allow user-generated content without properly sanitizing input. In WordPress, XSS is a frequent attack vector in plugins and themes that deal with form fields or dynamic content. A real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields, leading to session hijacking. Similarly, CVE-2024-10678 exploits improper sanitization in Ultimate Blocks, allowing an attacker to inject JavaScript into the Countdown block, which can then be executed in a user’s browser.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10678, an attacker with contributors-level access:
POC:
1) Create a new Post 2) Add here "Countdown" block 3) Set nearest time with your time. 4) Intercept request of submission post and replace "expiryMessage" with "\\u0026lt;img src=x onerror=alert(1)\\u0026gt;\\u003c"____
The potential risks of CVE-2024-10678 are significant. If exploited, the attacker can gain unauthorized access to a WordPress site by hijacking an admin’s session or creating a backdoor admin account. This could allow the attacker to alter content, steal sensitive data, install malicious plugins, or deface the site. For sites that store sensitive information, such as e-commerce or membership sites, the consequences could be severe, including data breaches and financial loss. In a real-world scenario, an attacker could exploit this vulnerability to take over an entire website, lock out legitimate admins, or manipulate the content on the site. Furthermore, the vulnerability could be used as part of a broader attack, where the attacker targets other sites or systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10678, administrators should update the Ultimate Blocks plugin to the latest version once a patch is released. Additionally, administrators should restrict contributor-level users from accessing sensitive fields such as the “expiryMessage” in the Countdown block. Sanitizing all user inputs, especially those in dynamic fields like countdown messages, is essential to prevent XSS attacks. It is also recommended to disable the unfiltered_html capability for non-admin users to prevent them from injecting JavaScript into posts and plugin settings. Implementing Content Security Policies (CSP) and regularly conducting security audits of plugins can further help protect WordPress sites from such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10678, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
