Icegram Engage is a widely-used WordPress plugin that enables website owners to create and manage popups, opt-in forms, and other interactive features to enhance user engagement. With over 30,000 active installations, the plugin is trusted by many to boost conversions and improve user experience. However, a critical vulnerability—CVE-2024-13482—has been discovered in the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious JavaScript code into the plugin settings, which can lead to account takeover and the creation of a backdoor in the WordPress site.
| CVE | CVE-2024-13482 |
| Icegram Engage < 3.1.32 | |
| Critical | High |
| All Time | 2 402 123 |
| Active installations | 30 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 2, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13482 https://wpscan.com/vulnerability/83ae33d0-4fc1-4186-9d70-b854a16df3a7/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 20, 2024 | Plugin testing and vulnerability detection in the Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA have been completed |
| November 20, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2024-13482 |
Discovery of the Vulnerability
The vulnerability was found during a routine security test of the Icegram Engage plugin, specifically in the process of creating and publishing a new campaign. The issue stems from the lack of input validation in the “text_color” field within the campaign settings. This field allows administrators to define custom text colors for the campaign, but it fails to sanitize input properly. As a result, an attacker with editor-level access can inject malicious JavaScript into this field, which is executed whenever an admin or another privileged user interacts with the campaign or updates the settings.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most prevalent web vulnerabilities, especially in content management systems like WordPress. It occurs when an attacker is able to inject malicious scripts into web pages, which are then executed by users’ browsers. In WordPress, this often happens when plugins or themes fail to sanitize user input, allowing attackers to embed JavaScript into various fields. Real-world examples of XSS vulnerabilities include incidents where attackers inject malicious scripts into comment sections or form fields, allowing them to steal session cookies, hijack user accounts, or escalate privileges. CVE-2024-13482 is a similar type of vulnerability, where an attacker can inject JavaScript into the “text_color” field, potentially escalating privileges from an editor to an admin.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13482, an attacker with editor+ privileges:
POC:
Duplicate "My First Icegram Campaign" in 127.0.0.1/wordpress/wp-admin/edit.php?post_typezig_campaign. Click on "Publish" and reload page. Click on update button and intercept request. Change "text_color" field to 123" onmouseover=alert(1)//. Save it. To trigger XSS you should hover on Body color picker. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks of CVE-2024-13482 are severe, particularly for websites that rely on Icegram Engage for user engagement. In a real-world scenario, an attacker can escalate from a low-level user role (e.g., editor) to a full admin account by exploiting this vulnerability. Once the attacker has admin access, they can take full control of the website. They could install malware, steal sensitive data, deface the website, or perform other malicious activities that could have severe consequences for the business or users. For example, the attacker could inject a script that redirects users to phishing sites or steal login credentials. E-commerce websites, membership sites, or any platform that handles sensitive user data could be particularly vulnerable to these types of attacks.
Recommendations for Improved Security
to the latest patched version. Plugin developers should ensure that all user inputs, especially those in critical fields like “text_color,” are properly sanitized using WordPress’s esc_html() function or wp_kses() to prevent the execution of malicious scripts. Additionally, administrators should restrict access to sensitive plugin settings, allowing only trusted users to modify them. Regular security audits and using a Web Application Firewall (WAF) can help detect and block such attacks before they are exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13482, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.