Ajax Search Lite is a popular WordPress plugin used to enhance the search experience by providing real-time AJAX search results. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13585, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Categories filter box header text” field within the “Frontend Filters” settings. The injected script is then executed when the search results are displayed, leading to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this flaw poses a serious security risk to WordPress websites using Ajax Search Lite.
| CVE | CVE-2024-13585 |
| Plugin | Ajax Search Lite < 4.12.5 |
| Critical | High |
| All Time | 6 111 500 |
| Active installations | 100 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13585/ https://wpscan.com/vulnerability/270f213a-2fde-471c-ad09-2b44d11891ec/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 12, 2024 | Plugin testing and vulnerability detection in the Ajax Search Lite – Live Search & Filter have been completed |
| December 12, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-13585 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of Ajax Search Lite. The issue lies in the “Categories filter box header text” field, which allows users to customize the label for the category filter in the frontend search interface. Unfortunately, the plugin does not sanitize or validate user input in this field, allowing an attacker to inject JavaScript code. When the settings are saved, the malicious script is stored in the database and executed when the page with the search box is rendered on the frontend. This flaw occurs because the plugin fails to properly escape or sanitize user input before displaying it, allowing malicious scripts to be executed in users’ browsers.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability that enables attackers to inject malicious JavaScript into a website, which is executed in the browsers of users who visit the page. XSS vulnerabilities can lead to session hijacking, unauthorized actions performed on behalf of the user, and data theft. These vulnerabilities are common in WordPress plugins that allow user-generated content or settings without proper sanitization. A real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields, leading to session hijacking. Similarly, CVE-2024-13585 allows JavaScript injection into the “Categories filter box header text” field of Ajax Search Lite, which is later executed on the frontend when search results are displayed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13127, an attacker with editor-level privileges:
POC:
1) You should create a new post with Ajax Search block. 2) Change "Categories filter box header text" field in "Frontend Filters" settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> 3) Save Settings____
The risks associated with CVE-2024-13585 are substantial. If exploited, an attacker could hijack the session of an administrator or another privileged user, gaining full control of the WordPress site. Once the attacker has admin access, they can modify site content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could escalate their privileges by hijacking an admin’s session or creating a backdoor admin account, providing persistent access to the site even after the vulnerability is patched. This is especially concerning for websites that handle sensitive user information, such as e-commerce sites or membership platforms, as the exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Moreover, the attacker could use the backdoor to install additional malicious scripts or compromise other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13585, administrators should immediately update the Ajax Search Lite plugin to the latest version once a fix is released. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. It is essential to properly sanitize and validate all user input, particularly in fields that affect frontend content, such as the “Categories filter box header text” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13585, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
