CVE-2024-12770 – WP ULike – Stored XSS to JS Backdoor Creation – POC

WP ULike is a popular WordPress plugin that enables website administrators to add like buttons to posts, comments, and custom post types. This feature is widely used across WordPress websites to allow users to express their preferences for content. However, a critical vulnerability, CVE-2024-12770, has been identified in the plugin that allows for the injection of malicious JavaScript into the site. This Stored Cross-Site Scripting (XSS) vulnerability can be exploited by attackers with editor-level access, enabling them to inject malicious scripts into the “Like Button Aria Label” field. When the settings are saved, the injected script is stored in the database and executed on the frontend, which could lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability presents a significant security risk to WordPress websites using WP ULike.

CVE	CVE-2024-12770
Plugin	WP ULike < 4.7.6
Critical	High
All Time	2 351 786
Active installations	100 000+
Publicly Published	January 17, 2024
Last Updated	January 17, 2024
Researcher	Dmitrii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12770 https://wpscan.com/vulnerability/e21f6a4e-f385-411b-8d91-0f38f9e6cdd3/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The vulnerability was discovered during a routine security audit of WP ULike. It was found that the plugin fails to properly sanitize user input in the “Like Button Aria Label” field within the “Strings” settings. The field allows site administrators and editors to modify the text of the aria label used by the like button. However, the plugin does not properly validate or escape JavaScript code inserted into this field, allowing attackers to inject arbitrary JavaScript. Once the settings are saved, the malicious script is stored in the database and executed when the page containing the like button is viewed, triggering the malicious action. The vulnerability stems from inadequate input validation and sanitization, allowing JavaScript to be executed in the browser of users who hover over the like button.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a common web vulnerability that occurs when an attacker injects malicious JavaScript into a webpage, which is then executed by the browser of a user who views the page. This type of attack can result in session hijacking, data theft, and the execution of unauthorized actions on behalf of the user. In WordPress, XSS vulnerabilities are frequently found in plugins that allow user input to be displayed on the frontend without proper sanitization. A real-world example of an XSS vulnerability in WordPress occurred in the WPForms plugin, where attackers were able to inject malicious JavaScript into form fields, leading to session hijacking. CVE-2024-12770 exploits the same type of flaw in WP ULike, allowing JavaScript injection through the “Like Button Aria Label” field, which is rendered on the frontend and executed when the like button is interacted with.

Exploiting the XSS Vulnerability

To exploit CVE-2024-12770, an attacker with editor-level privileges:

POC:

Go to main settings of the plugin. Change "Like Button Aria Label" field in "Strings" settings to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1)// -> Save Settings -> Go to any post and hover on like (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The risks posed by CVE-2024-12770 are significant. If exploited, an attacker could hijack an admin’s session or escalate their privileges to gain full control of the site. This could result in unauthorized access to sensitive data, the modification of site content, the installation of malicious plugins, or even the defacement of the site. In a real-world scenario, an attacker could create a backdoor admin account, giving them persistent access to the site even if the vulnerability is patched. This is especially dangerous for sites handling sensitive information, such as e-commerce or membership platforms, where data breaches and unauthorized access could lead to financial losses and reputational damage. The attacker could also use this vulnerability to install further malicious scripts or compromise other connected systems.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-12770, administrators should immediately update the WP ULike plugin to the latest patched version once a fix is available. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all user-generated content, particularly in fields like the “Like Button Aria Label” field. Implementing Content Security Policies (CSP) can help mitigate the impact of XSS attacks by blocking untrusted scripts from executing. Regular security audits, the use of security plugins, and the proper management of user permissions can further reduce the risk of XSS vulnerabilities being exploited. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12770, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.