In April 2024, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the popular WordPress plugin Widget for Social Page Feeds (formerly known as “Facebook Page Like Widget”). This plugin is installed on over 80,000 WordPress sites and is widely used to display Facebook page feeds in sidebars and other widget areas. The vulnerability, assigned CVE-2024-13207, affects all plugin versions below 6.4.2 and can allow attackers to inject malicious JavaScript, potentially leading to full site compromise.
| CVE | CVE-2024-13207 |
| Plugin | Widget for Social Page Feeds < 6.4.2 |
| Critical | High |
| All Time | 1 570 498 |
| Active installations | 60 000+ |
| Publicly Published | April 08, 2025 |
| Last Updated | April 08, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13207 https://wpscan.com/vulnerability/c3e27fa2-b6dd-48eb-83ec-99dc034eff38/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 29, 2024 | Plugin testing and vulnerability detection in the Widget for Social Page Feeds have been completed |
| November 29, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 07, 2025 | Registered CVE-2024-13207 |
Discovery of the Vulnerability
The vulnerability was identified during a routine security audit focusing on popular social media integration plugins for WordPress. Researchers noticed that the Facebook Page URL field inside the widget settings was not properly sanitized before being rendered on the front end.
By inserting a JavaScript payload into this field, an attacker could execute arbitrary scripts in the context of an admin user visiting the site, making it a classic Stored XSS vector.
The vendor was notified and has since released a patch in version 6.4.2.
Understanding of XSS attack’s
Stored XSS occurs when an application stores unsanitized user input and later displays it in a page without proper output escaping. Unlike reflected XSS, which requires a user to click a malicious link, stored XSS persists in the database and gets triggered automatically when a victim visits the infected page.
In the context of WordPress, widget forms, custom fields, and plugin options are frequent targets for such vulnerabilities. Once injected, a malicious script can:
- Steal admin cookies and session tokens.
- Perform CSRF-like actions as an authenticated user.
- Create rogue administrator accounts.
- Deploy webshells or inject PHP backdoors through the plugin or theme editor.
Exploiting the XSS Vulnerability
To exploit this vulnerability::
POC:
1) Navigate to Appearance > Widgets in the WordPress admin panel. 2) Add a new Facebook Page Like Widget. 3) In the Facebook Page URL field, insert the payload XSS 4) Save the widget and visit the front page where the widget is rendered. 5) Simply hovering over the widget triggers the XSS payload.____
In real-world exploitation, instead of a harmless alert(1), an attacker could inject a script that sends the admin’s cookies to a remote server or executes privileged actions via WordPress REST API calls.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-13207, administrators should promptly update the Widget for Social Page Feeds plugin to version 6.4.2 or later. It is crucial to ensure that all user-configurable fields in widgets, especially the Facebook Page URL, are properly sanitized and escaped during both input and output. Site owners should implement a strong Content Security Policy (CSP) to reduce the impact of potential XSS payloads, disable the file editor in the WordPress dashboard by setting DISALLOW_FILE_EDIT to true in wp-config.php, and review user roles to restrict access to widget configuration for non-administrators. Utilizing built-in WordPress functions such as esc_url(), sanitize_text_field(), and esc_attr() can help prevent storage and execution of malicious code. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13207, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.