The Image Widget plugin for WordPress, used to add image widgets to pages or posts, has been found to have a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10939. This vulnerability allows attackers with editor-level privileges to inject malicious JavaScript into the “imgurl” field of an image widget. The injected script is stored and executed when the widget is rendered, potentially leading to account takeover and the creation of a backdoor. With over 100,000 active installations, this vulnerability poses a significant security risk for WordPress sites using the Image Widget plugin.
| CVE | CVE-2024-10939 |
| Plugin | Image Widget < 4.4.11 |
| Critical | High |
| All Time | 4 257 544 |
| Active installations | 100 000+ |
| Publicly Published | November 9, 2024 |
| Last Updated | November 9, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10939 https://wpscan.com/vulnerability/fcf50077-b360-4b63-bece-9806b4bc8bea/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 25, 2024 | Plugin testing and vulnerability detection in the Image Widget have been completed |
| October 25, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 9, 2024 | Registered CVE-2024-10939 |
Discovery of the Vulnerability
The vulnerability was discovered during a security assessment of the Image Widget plugin. It was found that the plugin fails to properly sanitize input in the “imgurl” field where users can specify an image URL. This lack of input sanitization allows users with sufficient privileges, such as editors, to inject JavaScript code into the URL field. When the widget is displayed, the injected JavaScript is executed. This flaw is exacerbated by the fact that admins and editors are often granted the unfiltered_html capability, allowing them to inject JavaScript into fields that would otherwise be sanitized. The vulnerability stems from improper validation and sanitization of user input in the widget’s configuration settings.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most prevalent types of security issues in WordPress plugins and themes. XSS allows attackers to inject malicious scripts into web pages, which are then executed in the browsers of unsuspecting users. This can lead to a variety of malicious activities, such as session hijacking, credential theft, and privilege escalation. A notable real-world example of XSS in WordPress is the vulnerability found in the Contact Form 7 plugin, where attackers could inject JavaScript into form fields, allowing for session hijacking and unauthorized actions. Similarly, CVE-2024-10939 exploits improper input sanitization in the Image Widget plugin, enabling attackers to inject malicious scripts that can be executed when the widget is rendered.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10939, an attacker with editor-level access:
POC:
Create a new Widget "Image Widget". You should change "imgurl" field to "Malicious JS code eval() and etc. For example 234"><img+src=x+onerror=alert(11245)> -> Save Settings -> Reload page or go to "Add Booking" (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-10939 are severe. If exploited, an attacker could use the injected script to hijack the session of an administrator or any other user with access to the WordPress backend, gaining full control over the site. This could result in malicious actions such as modifying content, stealing sensitive data, or installing malicious software. In a real-world scenario, an attacker could use the backdoor to create a persistent admin account, allowing them to maintain access to the site even if the password is changed. For sites handling sensitive user information, such as e-commerce or membership sites, this could lead to data breaches, financial losses, and reputational damage. Additionally, the vulnerability could be exploited as a launching pad for further attacks, targeting other systems or websites connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10939, administrators should immediately update the Image Widget plugin to the latest patched version. Additionally, user roles and permissions should be reviewed, and the unfiltered_html capability should be disabled for non-admin users to prevent JavaScript injection. It is also essential to sanitize and validate all user inputs, especially in fields like image URLs, to prevent XSS attacks. Implementing Content Security Policies (CSP) can help reduce the impact of any successful XSS attacks by preventing malicious scripts from executing. Regular security audits and the use of security plugins that detect and block XSS attempts should also be part of the site’s overall security strategy. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10939, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
