Email Subscribers by Icegram Express is a widely used WordPress plugin for collecting and managing email subscribers, as well as sending newsletters, notifications, and other updates. A critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12567, has been discovered in this plugin. The vulnerability allows attackers to inject malicious JavaScript into form fields, which can lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this flaw represents a significant security risk to WordPress websites using the Email Subscribers plugin.
| CVE | CVE-2024-12567 |
| Plugin | Email Subscribers < 5.7.45 |
| Critical | High |
| All Time | 11 023 855 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12567 https://wpscan.com/vulnerability/82051ccc-c528-4ff3-900a-3b8e8ad34145/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 18, 2024 | Plugin testing and vulnerability detection in the Email Subscribers have been completed |
| November 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-12567 |
Discovery of the Vulnerability
The vulnerability was identified during a security review of the Email Subscribers plugin. It was found that the plugin fails to properly sanitize user input in the “form_data@5Bsettings:5D&5Bdnd_editor_css%5d” field when creating or editing forms. This field allows users to modify the settings of forms, including the CSS and JavaScript. An attacker with editor-level privileges can inject a malicious payload into this field, which is then stored in the WordPress database. When the form is later rendered, the malicious JavaScript code is executed in the browser of any user viewing the form. This vulnerability is caused by improper input sanitization and the lack of sufficient validation of user input in fields that impact the frontend content of the site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker is able to inject malicious JavaScript into web pages, which is then executed in the browsers of users who view the page. These attacks can have various malicious effects, such as stealing session cookies, performing actions on behalf of the user, and escalating privileges. XSS vulnerabilities are particularly dangerous in WordPress plugins that allow user-generated content or settings to be applied on the frontend without proper sanitization. A real-world example of XSS in WordPress was discovered in the Contact Form 7 plugin, where attackers could inject malicious scripts into form fields, leading to session hijacking. CVE-2024-12567 exploits the same type of flaw in the Email Subscribers plugin, enabling contributors to inject malicious JavaScript into form settings.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12567, an attacker with editor-level privileges:
POC:
Create a new Form click Next and switch on popup. Save it and intercept request. Change "form_data@5Bsettings:5D&5Bdnd_editor_css%5d" field to "</style><img src=x onerror=alert(1)>". Save and copy shortcode of this form. To trigger XSS you should go to new post and put shortcode of this form.(Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks posed by CVE-2024-12567 are significant. If successfully exploited, this vulnerability allows an attacker to hijack the session of an administrator or create a backdoor admin account, giving the attacker full control over the WordPress site. This could lead to a range of malicious activities, such as stealing sensitive data, altering content, defacing the site, or installing malware. In a real-world scenario, an attacker could escalate their privileges to an admin role, providing them with long-term access to the site even if the original admin changes their login credentials. For websites that handle sensitive user data, such as e-commerce sites or membership platforms, this vulnerability could result in significant data breaches, financial loss, and reputational damage. Moreover, once the attacker gains access, they could compromise other systems connected to the site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12567, administrators should immediately update the Email Subscribers plugin to the latest version once a patch is released. It is also essential to ensure that all user input, particularly those in fields such as “form_data@5Bsettings:5D&5Bdnd_editor_css%5d,” is properly sanitized and validated before being saved or rendered. Disabling the unfiltered_html capability for non-admin users, especially for contributors, will help prevent malicious scripts from being injected into plugin settings. Additionally, implementing Content Security Policies (CSP) can block the execution of untrusted scripts, reducing the impact of any successful XSS attack. Regular security audits, the use of security plugins, and proper user role management can also help detect and mitigate vulnerabilities before they can be exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12567, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
