Pods – Custom Content Types and Fields is a popular WordPress plugin that allows users to create and manage custom content types and fields. However, a serious Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-11849, has been discovered in the plugin. This flaw allows an attacker with editor-level privileges to inject malicious JavaScript into the “Add Button Text” field within the plugin’s “File / Image / Video/ Options” settings. The injected script can then be executed when the settings page is accessed, leading to the creation of a backdoor and potentially allowing attackers to hijack an admin session or escalate their privileges. With over 100,000 active installations, this vulnerability represents a significant security threat for WordPress websites using Pods.
| CVE | CVE-2024-11849 |
| Plugin | Pods – Custom Content Types and Fields < 3.2.8.1 |
| Critical | High |
| All Time | 4 524 152 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11849 https://wpscan.com/vulnerability/85b25a5b-c30b-4a2a-96c1-f05b4eba8a9b/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| November 12, 2024 | Plugin testing and vulnerability detection in the Pods – Custom Content Types and Fields have been completed |
| November 12, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-11849 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Pods plugin. It was found that the plugin does not properly sanitize the input provided in the “Add Button Text” field when configuring the “File / Image / Video/ Options” settings for a user pod. This field allows users to modify the button text that appears in file upload fields. Attackers with editor-level privileges can inject malicious JavaScript into this field, which is then stored in the WordPress database. When a user profile is viewed, the malicious script executes, posing a serious security risk. The flaw exists because the input from the “Add Button Text” field is not sanitized, allowing for script injection that can be used for malicious purposes.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are among the most common and dangerous types of security flaws in web applications, especially in content management systems like WordPress. XSS occurs when an attacker injects malicious JavaScript into a web page, which is then executed in the browser of anyone viewing that page. This type of attack can be used to hijack user sessions, steal sensitive data, or escalate privileges. A well-known real-world example of XSS in WordPress was found in the Contact Form 7 plugin, where attackers could inject JavaScript into form fields, leading to session hijacking and unauthorized access. Similarly, CVE-2024-11849 allows for script injection in the Pods plugin, which could lead to account takeover and other malicious actions.
Exploiting the XSS Vulnerability
To exploit CVE-2024-11849, an attacker with editor-level privileges:
POC:
Create a new Users pod. Add new field to this pod | choose File upload field. Change "Add Button Text" to <img src=x onerror=alert(10)> in "File / Image / Video/ Options" settings. -> Save Settings -> Go to any user profile (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-11849 are severe. If exploited, this vulnerability could allow an attacker to hijack an administrator’s session or escalate their privileges to admin-level access. Once the attacker has admin access, they could alter content, install malicious plugins, steal sensitive data, or perform other malicious actions. In a real-world scenario, an attacker could use this vulnerability to modify user profiles, gain unauthorized access to sensitive information, or lock legitimate administrators out of their accounts. For websites that handle sensitive user information, such as e-commerce platforms or membership sites, the consequences of this vulnerability could be catastrophic, leading to data breaches, financial losses, and reputational damage. This vulnerability could also serve as an entry point for further attacks on other systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-11849, WordPress administrators should update the Pods plugin to the latest version as soon as a patch is released. Additionally, administrators should review user roles and restrict editor-level users from accessing the “Add Button Text” field in the “File / Image / Video/ Options” settings. Proper sanitization and validation of user input are essential to prevent script injection in dynamic content fields. Disabling the unfiltered_html capability for non-admin users is another key security measure. Administrators should also implement Content Security Policies (CSP) to mitigate the impact of any successful XSS attacks and regularly perform security audits to detect and block vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11849, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
