Icegram Engage, a popular WordPress plugin for creating opt-ins, subscription forms, and campaigns, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12302. This flaw allows attackers with editor-level access to inject malicious JavaScript into the settings of a campaign, which is then executed when the campaign is accessed. The injected script could be used to hijack an admin session or create a backdoor admin account, leading to full site compromise. With over 30,000 active installations, this vulnerability represents a serious threat to WordPress websites using Icegram Engage.
| CVE | CVE-2024-12302 |
| Plugin | Icegram Engage < 3.1.32 |
| Critical | High |
| All Time | 2 390 125 |
| Active installations | 30 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12302 https://wpscan.com/vulnerability/ed860dac-8c4a-482f-8826-31f1a894b6ce/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| November 26, 2024 | Plugin testing and vulnerability detection in the Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA have been completed |
| November 26, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-12302 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of the Icegram Engage plugin. It was found that the plugin fails to sanitize user input in specific HTML fields when creating or duplicating a campaign. An attacker with editor privileges can exploit this flaw by modifying the HTML fields to include malicious JavaScript code. The script is then stored in the plugin’s configuration and executed when the settings page is revisited. This vulnerability is particularly concerning because it allows users with low privileges, such as editors, to inject and store malicious scripts that could lead to privilege escalation and backdoor creation.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are common and dangerous flaws in web applications, including WordPress plugins. XSS occurs when an attacker is able to inject malicious JavaScript into a web page, which is then executed by the browser of anyone viewing the page. This can lead to a variety of malicious actions, such as session hijacking, credential theft, and privilege escalation. A well-known example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields, allowing for session hijacking. Similarly, CVE-2024-12302 exploits improper input sanitization in Icegram Engage, enabling attackers to inject malicious JavaScript into campaign settings and execute it when the settings page is accessed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12302, an attacker with author-level privileges:
POC:
Duplicate "My First Icegram Campaign" in 127.0.0.1/wordpress/wp-admin/edit.php?post_typezig_campaign. Switch on "Use Opt-in / Subscription / Lead capture form" box. Change two new fileds of HTML to "<img src=x onerror=alert(1)>". Save it. To trigger XSS you should click on first HTML field after on second field.____
The risks associated with CVE-2024-12302 are severe. If exploited, this vulnerability could allow an attacker to hijack an administrator’s session, steal sensitive data, or gain full control of the WordPress site. A real-world scenario could involve an attacker escalating their privileges to create a backdoor admin account, thereby gaining persistent access to the site. Once in control, the attacker could modify content, install malicious plugins, or exfiltrate user data. For websites that store sensitive information, such as e-commerce or membership sites, the impact of this vulnerability could be catastrophic, leading to data breaches, financial losses, and reputational damage. Additionally, this flaw could be used to launch further attacks on other systems or websites connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12302, administrators should immediately update the Icegram Engage plugin to the latest version once a patch is released. It is also essential to restrict the unfiltered_html capability for non-admin users, particularly editors, to prevent them from injecting JavaScript into plugin settings. Input fields, especially those involving dynamic content such as campaign settings, should be properly sanitized and validated to prevent script injections. Administrators should also implement Content Security Policies (CSP) to limit the execution of untrusted scripts. Regular security audits, using security plugins to detect XSS vulnerabilities, and reviewing user permissions are essential practices to protect WordPress sites from such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12302, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
