A critical security vulnerability, CVE-2024-2189, has been identified in the Social Icons Widget & Block WordPress plugin, which boasts over 100k installations. This vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVECVE-2024-2189
PluginSocial Icons Widget & Block < 4.2.18
CriticalHigh
All Time2 854 260
Active installations100 000+
Publicly PublishedApril 30, 2024
Last UpdatedApril 30, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2189
https://wpscan.com/vulnerability/b8661fbe-78b9-4d29-90bf-5b68af468eb6/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

February 16, 2024Plugin testing and vulnerability detection in the Social Icons Widget & Block by WPZOOM plugin have been completed
February 16, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 30, 2024Registered CVE-2024-2189

Discovery of the Vulnerability

During routine security assessments, researchers discovered a flaw in the Social Icons Widget & Block plugin that allows attackers to execute malicious JavaScript code on behalf of an editor. This vulnerability enables threat actors to create a backdoor for account takeover, posing a significant risk to WordPress websites utilizing the plugin.

Understanding of Stored XSS attack’s

Stored XSS attacks occur when malicious scripts are injected into a web application and executed within the context of another user’s session. In WordPress, plugins like Social Icons Widget & Block are susceptible to such attacks if they fail to properly sanitize user inputs. Real-world examples of Stored XSS vulnerabilities highlight the severity of these issues, as they can lead to unauthorized access, data theft, and website defacement.

Exploiting the Stored XSS Vulnerability

By exploiting the CVE-2024-2189 vulnerability, attackers can inject malicious script payloads into specific fields of the Social Icons Widget & Block plugin, such as the “color_picker_fields” field. When unsuspecting users interact with these elements, the injected JavaScript code gets executed, facilitating account takeover and compromising website security.

POC:

When creating a new widget, insert the following payload in the “color_picker_fields” field – 123″ onmouseover=’alert(/XSS/)’ (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The CVE-2024-2189 vulnerability poses a significant risk to WordPress websites utilizing the Social Icons Widget & Block plugin. Attackers could leverage this flaw to execute various malicious activities, including creating JavaScript backdoors, redirecting users to malicious websites, or stealing sensitive user information. In real-world scenarios, such attacks could result in severe consequences, including reputation damage and financial losses.

Recommendations for Improved Security

Website administrators and WordPress users are strongly advised to update the Social Icons Widget & Block plugin to the latest patched version immediately. Additionally, developers should prioritize implementing robust input validation and output sanitization mechanisms within their plugins to mitigate the risk of XSS vulnerabilities. Regular security audits and proactive monitoring can also help identify and address potential security issues before they are exploited by malicious actors.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2189, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-2189 – Social Icons Widget & Block – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *