CVE-2024-13615 – SocialSnap – Stored XSS to JS Backdoor Creation – POC

The Social Media Plugin by Social Snap is widely used to add social sharing functionalities to WordPress websites. This plugin allows website administrators to add social sharing buttons, follow icons, and “Click to Tweet” features. However, a critical vulnerability, Stored Cross-Site Scripting (Stored XSS), has been identified in versions <= 1.3.6 of the plugin. This vulnerability allows an attacker to inject malicious JavaScript payloads, which can be executed when an admin user views the vulnerable settings page.

CVE	CVE-2024-13165
Plugin	Socialsnap <= 1.3.6
Critical	Medium
All Time	558 665
Active installations	10 000+
Publicly Published	February 17, 2024
Last Updated	February 17, 2024
Researcher	Artyom Krugov
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://wpscan.com/vulnerability/e8401973-f4c2-4ccf-a6ad-507dde8d2259/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13615
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The vulnerability was discovered by examining how the plugin handles user input in its configuration settings. Specifically, the issue arises when an attacker can inject JavaScript code into the username field under the Social Followers tab within the plugin’s settings. The input is not properly sanitized or validated, allowing the malicious script to be stored in the system.

To exploit the vulnerability:

1. Navigate to the Social Share Plugin tab in the WordPress dashboard.
2. Click on Settings.
3. Go to the Social Followers tab.
4. Click on Manage Networks.
5. In each social network configuration, there is an option to configure settings by clicking the Setup button.
6. In the username field, an attacker can input a malicious payload.

When the payload is stored, the attacker can later trigger it by revisiting the settings page.

Understanding of XSS attack’s

Stored Cross-Site Scripting (Stored XSS) occurs when malicious input is permanently stored on a target server and later rendered as part of a web page. In the case of WordPress, this can happen when plugins or themes fail to properly sanitize or escape user input.

Stored XSS attacks can have severe consequences:

• Session hijacking: An attacker can steal the session cookies of users who are logged in, potentially gaining unauthorized access to their accounts.
• Malware distribution: Malicious scripts can redirect users to infected sites, or cause their browsers to download malicious files.
• Phishing: XSS can be used to create fake login forms that steal user credentials.

A real example of this kind of vulnerability is the WP GDPR Compliance Plugin, where XSS could be injected through a form submission. This would allow attackers to execute JavaScript in the context of the admin dashboard, leading to potential compromise.

Exploiting the XSS Vulnerability

To exploit CVE-2024-13615, an attacker can inject the following malicious payload into the username field under the plugin’s Social Followers settings:

POC:

"><script></script><img src=x onerror=alert(1)>

____

Step-by-step exploitation:

1. Injection: The attacker injects the malicious code in the username field.
2. Storage: The input is stored by the plugin without proper sanitization.
3. Execution: When an admin revisits the settings page to manage social network configurations, the payload is executed as part of the web page’s HTML, causing the JavaScript inside the script tag to run.
4. Effect: In this case, the payload triggers an alert(1) on the admin page. However, in a real attack, this could be replaced with a more damaging payload, such as session hijacking or redirecting the admin to a phishing page.

Recommendations for Improved Security

To mitigate the risk posed by this vulnerability, the following actions are recommended:

1. Update the plugin: The most straightforward fix is to update to a patched version of the Social Snap plugin, where the vulnerability has been resolved.
2. Input validation and sanitization: Developers should ensure that all user inputs, including those in plugin settings, are properly sanitized before being stored or rendered. Functions like sanitize_text_field(), esc_attr(), and wp_kses_post() can help prevent the injection of malicious content.
3. Use Content Security Policy (CSP): Implementing a Content Security Policy can help mitigate the effects of XSS attacks by restricting the sources from which JavaScript can be loaded and executed.
4. Regular security audits: WordPress site administrators should perform regular security audits, including checking for vulnerable plugins and themes, and ensuring that they are up-to-date.
5. Educate site administrators: Site admins should be aware of the potential risks of XSS vulnerabilities and take precautions when using third-party plugins. Regularly updating and reviewing plugin configurations can help reduce the risk.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7052, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.