In today’s digital age, security vulnerabilities in web applications can lead to severe consequences, including unauthorized access, data breaches, and loss of trust. One such critical vulnerability is the Stored Cross-Site Scripting (XSS) attack. This article explores a newly discovered Stored XSS vulnerability in the “Button Contact VR” WordPress plugin, identified as CVE-2024-2220. This flaw can allow attackers to embed malicious scripts, creating backdoors for account takeover, posing significant risks to website integrity and user data. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVECVE-2024-2220
PluginButton contact VR <= 4.7
CriticalHigh
All Time162 512
Active installations50 000+
Publicly PublishedApril 30, 2024
Last UpdatedApril 30, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2220
https://wpscan.com/vulnerability/fe8c001e-8880-4570-b010-a41fc8ee0c58/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

February 22, 2024Plugin testing and vulnerability detection in the Button contact VR plugin have been completed
February 22, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 30, 2024Registered CVE-2024-2220

Discovery of the Vulnerability

During a routine security audit of the “Button Contact VR” plugin, researchers discovered a critical vulnerability. The plugin, widely used for adding contact buttons on WordPress sites, failed to adequately sanitize user inputs. This flaw allows attackers to insert malicious JavaScript code into the plugin’s fields. Specifically, the vulnerability was found in the “Hotline” field, where an attacker with editor-level access could inject harmful scripts.

Understanding of Stored XSS attack’s

Stored XSS vulnerabilities occur when an application stores unsanitized user input and then later renders it as part of the page content. In the context of WordPress plugins, such vulnerabilities can be particularly dangerous. Once injected, the malicious script runs every time a user visits the affected page or interacts with the compromised element, like a contact button in this case.

Exploiting the Stored XSS Vulnerability

By leveraging the Carousel Slider plugin, attackers can embed malicious scripts, such as JavaScript, into sliders. These scripts execute when unsuspecting users interact with the compromised sliders, opening the door for various nefarious activities.

POC:

  1. Log in to the WordPress site with an editor account.
  2. Navigate to the “Button Contact VR” settings.
  3. Locate the “Hotline” field.
  4. Insert the following payload: asd"onmouseover='alert(112312)'.
  5. Save the changes.

____

Consider a scenario where an attacker gains access to a WordPress site with editor privileges. By exploiting the Stored XSS vulnerability in the “Button Contact VR” plugin, the attacker embeds a script that steals cookies or session tokens whenever an admin logs in. This script then sends the stolen information to the attacker’s server, enabling them to hijack the admin account and plant a more persistent backdoor.

Recommendations for Improved Security

  • Input Sanitization: Plugin developers should implement robust input validation and sanitization. All user inputs should be thoroughly sanitized to prevent the injection of malicious scripts.
  • Regular Updates: Website administrators should ensure that all plugins and themes are kept up-to-date. Developers frequently release patches for security vulnerabilities, and timely updates can prevent exploitation.
  • Principle of Least Privilege: Users should be granted the minimum necessary permissions. For instance, contributors should not have the ability to embed potentially dangerous content. This principle limits the impact of a compromised account.
  • Security Audits: Regular security audits and code reviews can help identify and rectify vulnerabilities before they are exploited. Organizations should also consider engaging third-party security experts for thorough assessments.
  • Content Security Policy (CSP): Implementing a strong Content Security Policy can help mitigate the impact of XSS attacks by restricting the sources from which scripts can be loaded and executed.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2220, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-2220 – Button contact VR – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *