In today’s digital age, security vulnerabilities in web applications can lead to severe consequences, including unauthorized access, data breaches, and loss of trust. One such critical vulnerability is the Stored Cross-Site Scripting (XSS) attack. This article explores a newly discovered Stored XSS vulnerability in the “Button Contact VR” WordPress plugin, identified as CVE-2024-2220. This flaw can allow attackers to embed malicious scripts, creating backdoors for account takeover, posing significant risks to website integrity and user data. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Main info:
| CVE | CVE-2024-2220 |
| Plugin | Button contact VR <= 4.7 |
| Critical | High |
| All Time | 162 512 |
| Active installations | 50 000+ |
| Publicly Published | April 30, 2024 |
| Last Updated | April 30, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2220 https://wpscan.com/vulnerability/fe8c001e-8880-4570-b010-a41fc8ee0c58/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| February 22, 2024 | Plugin testing and vulnerability detection in the Button contact VR plugin have been completed |
| February 22, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 30, 2024 | Registered CVE-2024-2220 |
Discovery of the Vulnerability
During a routine security audit of the “Button Contact VR” plugin, researchers discovered a critical vulnerability. The plugin, widely used for adding contact buttons on WordPress sites, failed to adequately sanitize user inputs. This flaw allows attackers to insert malicious JavaScript code into the plugin’s fields. Specifically, the vulnerability was found in the “Hotline” field, where an attacker with editor-level access could inject harmful scripts.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when an application stores unsanitized user input and then later renders it as part of the page content. In the context of WordPress plugins, such vulnerabilities can be particularly dangerous. Once injected, the malicious script runs every time a user visits the affected page or interacts with the compromised element, like a contact button in this case.
Exploiting the Stored XSS Vulnerability
By leveraging the Carousel Slider plugin, attackers can embed malicious scripts, such as JavaScript, into sliders. These scripts execute when unsuspecting users interact with the compromised sliders, opening the door for various nefarious activities.
POC:
- Log in to the WordPress site with an editor account.
- Navigate to the “Button Contact VR” settings.
- Locate the “Hotline” field.
- Insert the following payload:
asd"onmouseover='alert(112312)'.- Save the changes.
____
Consider a scenario where an attacker gains access to a WordPress site with editor privileges. By exploiting the Stored XSS vulnerability in the “Button Contact VR” plugin, the attacker embeds a script that steals cookies or session tokens whenever an admin logs in. This script then sends the stolen information to the attacker’s server, enabling them to hijack the admin account and plant a more persistent backdoor.
Recommendations for Improved Security
- Input Sanitization: Plugin developers should implement robust input validation and sanitization. All user inputs should be thoroughly sanitized to prevent the injection of malicious scripts.
- Regular Updates: Website administrators should ensure that all plugins and themes are kept up-to-date. Developers frequently release patches for security vulnerabilities, and timely updates can prevent exploitation.
- Principle of Least Privilege: Users should be granted the minimum necessary permissions. For instance, contributors should not have the ability to embed potentially dangerous content. This principle limits the impact of a compromised account.
- Security Audits: Regular security audits and code reviews can help identify and rectify vulnerabilities before they are exploited. Organizations should also consider engaging third-party security experts for thorough assessments.
- Content Security Policy (CSP): Implementing a strong Content Security Policy can help mitigate the impact of XSS attacks by restricting the sources from which scripts can be loaded and executed.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2220, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
