WPForms, a widely-used WordPress plugin for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-11223. This flaw allows an attacker with editor-level access to inject malicious JavaScript code into the settings of the “Number Slider” field in a form. When the form is viewed or submitted, the malicious script executes, potentially creating a backdoor and allowing the attacker to escalate their privileges. With over 6 million active installations, this vulnerability presents a significant security risk for WordPress sites using WPForms.
| CVE | CVE-2024-11223 |
| Plugin | WPForms < 1.9.2.3 |
| Critical | High |
| All Time | 252 124 312 |
| Active installations | 6 000 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11223 https://wpscan.com/vulnerability/82989909-9745-4c9a-abc7-c1adf8c2b047/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| November 11, 2024 | Plugin testing and vulnerability detection in the WPForms have been completed |
| November 11, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-11223 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of WPForms. It was found that the plugin fails to properly sanitize user input in the “Value Display” field of the “Number Slider” block, which is located under the Advanced settings. Attackers with editor-level access can inject JavaScript into this field, which is then stored in the WordPress database. When the form containing the injected script is displayed, the malicious JavaScript executes in the context of the viewer’s browser. The ability to inject and store malicious scripts with minimal privileges highlights the severity of this vulnerability.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker can inject malicious scripts into web pages, which are then executed in the browsers of unsuspecting users. These scripts can steal sensitive information, hijack sessions, or escalate privileges, allowing attackers to take control of the website. A real-world example of XSS in WordPress occurred in the Contact Form 7 plugin, where attackers could inject JavaScript into form fields, potentially leading to session hijacking and backdoor creation. CVE-2024-11223 exploits improper sanitization in WPForms, where malicious JavaScript can be injected into the “Value Display” field of the “Number Slider” and executed when the form is viewed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-11223, an attacker with editor-level privileges:
POC:
Create a new Form add here Number Slider. Change "Value Display" field in Advanced settings of this block to "Malicious JS code eval() and etc. For example 123<img src=x onerror=alert(1)> -> Save Settings -> Go to any post and put here "[pirate_forms]"____
The risks of CVE-2024-11223 are significant. A successful attack could allow an attacker to hijack an administrator’s session or escalate their privileges to admin-level access. With full admin access, the attacker could modify site content, steal sensitive data, install malicious plugins, or even deface the site. In a real-world scenario, an attacker could use this vulnerability to gain control of an e-commerce site, modify order details, steal customer information, or disrupt business operations. For membership sites or any platform handling sensitive user information, the exploitation of this vulnerability could result in severe data breaches, financial losses, and reputational damage. Additionally, this flaw could be used as a stepping stone for further attacks on other systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-11223, WordPress administrators should update WPForms to the latest patched version immediately. Additionally, administrators should restrict editor-level users from modifying sensitive plugin settings such as those in the “Value Display” field. Proper sanitization and validation of user inputs, particularly in fields that affect dynamic content such as the “Number Slider” block, should be enforced to prevent malicious script injection. Administrators should also disable the unfiltered_html capability for non-admin users to prevent the injection of JavaScript. Implementing Content Security Policies (CSP) and conducting regular security audits are also recommended to detect and block any potential XSS attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11223, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
