WP Tabs is a widely used WordPress plugin designed to help users create and manage tabbed navigation on their websites. With its user-friendly interface and extensive customization options, WP Tabs has gained popularity among WordPress site owners. However, a security vulnerability (CVE-2024-111503) was discovered in versions below 2.2.7, exposing websites to a Stored Cross-Site Scripting (XSS) attack. This article delves into the discovery, exploitation, risks, and remediation of this vulnerability.
| CVE | CVE-2024-11503 |
| Plugin | WP Tabs < 2.2.7 |
| Critical | High |
| All Time | 236 139 |
| Active installations | 10 000+ |
| Publicly Published | March 13, 2025 |
| Last Updated | March 13, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11503 https://wpscan.com/vulnerability/25592b6c-b9ab-4d9e-b314-091594ce9189/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 30, 2025 | Plugin testing and vulnerability detection in the WP Tabs have been completed |
| October 30, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 13, 2025 | Registered CVE-2024-11503 |
Discovery of the Vulnerability
Security researchers identified a Stored XSS vulnerability in WP Tabs when analyzing input fields for improper sanitization. The vulnerability resides in the “Subsection Title – Margin Bottom” field within the Typography settings of the plugin. The affected parameter, sp_tab_shortcode_options[sptpro_section_title_typo][margin-bottom], allows an attacker to inject malicious JavaScript code, which is then stored and executed when an administrator or user interacts with the affected page.
Understanding of XSS attack’s
Stored XSS occurs when an application improperly sanitizes user input before storing it in the database. When the stored data is later retrieved and displayed, the malicious script executes in the victim’s browser.
For example, a WordPress plugin that allows users to enter text into a form field might not properly escape special characters like <script>.
In the case of WP Tabs, an attacker can inject the payload into the margin-bottom field, causing the script to execute when an administrator or other users interact with the plugin settings.
Exploiting the XSS Vulnerability
To exploit the vulnerability in WP Tabs:
POC:
1) Navigate to the WP Tabs plugin and create a new tab. 2) Go to the Typography tab in the plugin settings. 3) Locate the "Subsection Title - Margin Bottom" field. 4) Inject the following payload into the field 5) Save the settings. 6) When the page is reloaded or another user accesses the affected section, the malicious script executes, potentially allowing the attacker to steal session cookies, perform unauthorized actions, or manipulate website content.____
The risks associated with Stored XSS in WP Tabs include:
- Admin Session Hijacking: If an administrator triggers the injected script, an attacker can steal session cookies and gain unauthorized access to the WordPress dashboard.
- Phishing Attacks: Malicious scripts can display fake login forms to steal user credentials.
- Defacement and Content Injection: Attackers can modify page content, embed malicious links, or distribute malware.
- Privilege Escalation: If combined with other vulnerabilities, Stored XSS can lead to full site compromise.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-11503, administrators should update the WP Tabs plugin to the latest version as soon as a security patch is released. Additionally, it is crucial to restrict the unfiltered_html capability for non-admin users to prevent them from injecting malicious scripts into the vulnerable Subsection Title – Margin Bottom field.
Proper input sanitization and validation should be enforced for all fields that accept user input, especially those affecting the frontend. Implementing Content Security Policies (CSP) can further mitigate the risk of script execution. Regular security audits should be performed to identify and remediate potential XSS vulnerabilities proactively.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11503, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.