The recent discovery of CVE-2024-1660 in the Top Bar plugin unveils a critical vulnerability in WordPress, allowing for Stored XSS attacks. This flaw poses a significant risk to website security and warrants immediate attention from site administrators. This vulnerability allows malicious actors to execute Stored XSS attacks, potentially leading to the creation of JavaScript backdoors, compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

PluginTop Bar < 3.0.5
All Time261 904
Active installations20 000+
Publicly PublishedMarch 25, 2023
Last UpdatedMarch 25, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Plugin Security Certification by CleanTalk


February 11, 2023Plugin testing and vulnerability detection in the Top Bar plugin have been completed
February 11, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 25, 2024Registered CVE-2024-1660

Discovery of the Vulnerability

During routine testing of the Top Bar plugin, security researchers identified a flaw that enables attackers to execute malicious scripts via Stored XSS, leading to potential account takeover through backdoor creation.

Understanding of Stored XSS attack’s

Stored XSS exploits allow attackers to inject malicious scripts into a website’s content, such as posts or comments. When unsuspecting users interact with the compromised content, the injected scripts execute within their browsers, enabling attackers to steal sensitive information or hijack user accounts.

Exploiting the Stored XSS Vulnerability

In the case of CVE-2024-1660, attackers can embed malicious scripts within the Top Bar plugin settings, posing as editors. Upon saving the settings, the injected payload remains dormant until triggered by unsuspecting users interacting with the compromised element.


  1. You should click on “Top Bar Menu” and submit first request. Change tpbr_color parametr to (” onmouseover=’alert(1)’)


The vulnerability exposes websites to various risks, including unauthorized access to sensitive data, account takeover, and the deployment of additional malware. Attackers could exploit this flaw to compromise user accounts, deface websites, or steal valuable information.

Recommendations for Improved Security

Website administrators are strongly advised to update the Top Bar plugin to the latest version immediately. Additionally, implementing measures to restrict the execution of JavaScript in user-generated content and regularly monitoring for suspicious activity can help mitigate the risk of XSS attacks.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-1660, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-1660 – Top Bar – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *