Email Subscribers by Icegram Express is a widely used WordPress plugin designed to help website administrators collect and manage email subscribers, as well as send newsletters and email notifications. However, a critical vulnerability has been found in the plugin, CVE-2024-11636, which allows attackers with editor-level access to inject malicious JavaScript into form fields. This stored Cross-Site Scripting (XSS) vulnerability can lead to account takeover by creating a backdoor that allows unauthorized users to gain full control of the site. With over 100,000 active installations, this flaw represents a serious security risk for WordPress sites using the plugin.
| CVE | CVE-2024-11636 |
| Plugin | Email Subscribers < 5.7.45 |
| Critical | High |
| All Time | 11 023 855 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11636 https://wpscan.com/vulnerability/da616c20-3d74-4d3a-95f5-2d71d9ada094/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 18, 2024 | Plugin testing and vulnerability detection in the Email Subscribers have been completed |
| November 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-11636 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the Email Subscribers by Icegram Express plugin. It was found that the plugin does not properly sanitize input in the “id” field when creating or editing a form. This field allows users to define unique identifiers for form elements, and it is improperly validated, allowing JavaScript to be injected. When a user creates or edits a form with a malicious payload in the “id” field, the malicious script is stored and rendered when the form is reloaded. The flaw exists due to a lack of input sanitization and validation in this field, allowing users with editor privileges to insert harmful JavaScript that will execute when the form settings page is visited again.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker injects malicious scripts into web pages, which are then executed in the browsers of users who visit the page. These attacks can have a range of malicious effects, such as hijacking sessions, stealing data, and escalating privileges. XSS vulnerabilities are common in WordPress plugins, where user-generated content is often incorporated into the page without proper sanitization. A real-world example of XSS in WordPress occurred in the Contact Form 7 plugin, where an attacker could inject JavaScript into form fields to steal user data or hijack admin sessions. CVE-2024-11636 is a similar vulnerability, exploiting improper input validation in the Email Subscribers by Icegram Express plugin to inject malicious JavaScript into form settings.
Exploiting the XSS Vulnerability
To exploit CVE-2024-11636, an attacker with editor-level privileges:
POC:
Create a new Form add here Text block and change "id" field to "</style><img src=x onerror=alert(1)>". Save and reload page. To trigger XSS you should go to this form and edit it one more time. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-11636 are substantial. If exploited, an attacker could hijack an administrator’s session, steal sensitive data, or escalate their privileges to create a backdoor admin account. Once an attacker gains admin access, they could modify content, install malicious plugins, or steal user data. In a real-world scenario, an attacker could gain access to a site’s email subscriber list, potentially using the backdoor to send phishing emails or conduct further attacks. For websites dealing with sensitive information, such as e-commerce sites or membership platforms, this vulnerability could lead to significant data breaches, financial losses, and reputational damage. Moreover, once the attacker has backdoor access, they could maintain persistent control over the site even if administrators change their passwords.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-11636, administrators should update the Email Subscribers by Icegram Express plugin to the latest version as soon as a patch is available. In addition, administrators should review user roles and restrict editor-level users from accessing or modifying sensitive fields such as the “id” field. Proper sanitization and validation of user input, especially in fields that affect dynamic content, are essential to prevent XSS attacks. It is also recommended to disable the unfiltered_html capability for non-admin users to prevent them from injecting malicious scripts into plugin settings. Implementing Content Security Policies (CSP) and performing regular security audits are additional steps that can help detect and block potential XSS vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11636, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
