A critical security vulnerability, CVE-2024-1331, has been uncovered in the Team Members plugin for WordPress. This flaw, a Stored Cross-Site Scripting (XSS) vulnerability, allows attackers to execute malicious scripts on behalf of contributors, potentially leading to account takeover and compromising the security of WordPress sites.
Main info:
| CVE | CVE-2024-1331 |
| Plugin | Team Members < 5.3.2 |
| Critical | High |
| All Time | 610 694 |
| Active installations | 30 000+ |
| Publicly Published | February 20, 2023 |
| Last Updated | February 20, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1331 https://wpscan.com/vulnerability/b2bac900-3d8f-406c-b03d-c8db156acc59/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| February 5, 2023 | Plugin testing and vulnerability detection in the Team Members have been completed |
| February 5, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 20, 2024 | Registered CVE-2024-1331 |
Discovery of the Vulnerability
During routine testing of the Team Members plugin, security researchers identified a vulnerability that enables the injection of malicious code via the “Link URL” field when adding a new team member. This flaw exposes WordPress sites to the risk of Stored XSS attacks, posing a significant security threat.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when user-supplied input is stored on a server and later displayed on a web page without proper sanitization. In the case of WordPress plugins like Team Members, attackers can exploit this vulnerability by injecting malicious JavaScript code into input fields. When unsuspecting users view the affected content, the injected script executes in their browsers.
Exploiting the Stored XSS Vulnerability
To exploit the CVE-2024-1331 vulnerability, attackers need to navigate to the Team Members plugin’s “Add New Team” section and insert the malicious payload into the “Link URL” field while adding a new team member. The injected script will then execute whenever the affected content is viewed, potentially leading to account takeover or other malicious activities.
POC:
- You should click on Add New Team and add new member. Fill all Form with valid names and put (” onmouseover=’alert(1)’) to “Link URL” field. After that put shortcode to new post of somewhere else.
___
The presence of Stored XSS vulnerabilities in WordPress plugins like Team Members can have severe consequences. Attackers can leverage these vulnerabilities to steal sensitive user data, deface websites, distribute malware, or launch phishing attacks. Furthermore, compromised websites may suffer reputational damage and loss of user trust.
Recommendations for Improved Security
To mitigate the risk associated with CVE-2024-1331 and similar vulnerabilities, WordPress site administrators are advised to:
- Update the Team Members plugin to the latest patched version.
- Regularly audit and monitor WordPress plugins for security vulnerabilities.
- Implement input validation and output sanitization techniques to prevent XSS attacks.
- Educate users about the risks of clicking on suspicious links or executing unknown scripts on WordPress sites.
- Consider employing web application firewalls (WAFs) and security plugins to enhance website security posture.
By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Team Members.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
