A critical vulnerability, CVE-2024-2643, has been unearthed in My Sticky Bar WordPress plugin, posing a significant threat to website security. Exploiting this flaw enables attackers to execute Stored XSS attacks and potentially implant JavaScript backdoors, jeopardizing website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Main info:
| CVE | CVE-2024-2643 |
| Plugin | My Sticky Bar < 2.6.8 |
| Critical | High |
| All Time | 2 731 280 |
| Active installations | 100 000+ |
| Publicly Published | March 25, 2023 |
| Last Updated | March 25, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2643 https://wpscan.com/vulnerability/23805a61-9fcd-4744-a60d-05c8cb43ee01/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| February 28, 2023 | Plugin testing and vulnerability detection in the My Sticky Bar plugin have been completed |
| February 28, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 25, 2024 | Registered CVE-2024-2643 |
Discovery of the Vulnerability
During rigorous testing of the plugin, security researchers uncovered a loophole that allows malicious actors to inject and execute arbitrary JavaScript code via Stored XSS, paving the way for unauthorized access and control.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities in WordPress plugins, like My Sticky Bar, empower attackers to embed malicious scripts in user-generated content, which, when executed, can compromise user accounts, steal sensitive data, or manipulate website functionality.
Exploiting the Stored XSS Vulnerability
Attackers can leverage this vulnerability by injecting malicious scripts into specific fields, such as the “mysticky_option_welcomebar” parameter, during the creation of a new bar in My Sticky Bar settings. This allows them to execute arbitrary code and potentially create JavaScript backdoors for persistent access.
POC:
You should click on “My Sticky Bar” and create “New Bar”. Change mysticky_option_welcomebar.5Bmysticky_welcomebar_x_color%5D field to %23000000″onmouseover=alert(1)// -> Save Settings
___
The exploitation of CVE-2024-2643 poses severe consequences, including unauthorized access to sensitive data, website defacement, and even complete takeover by attackers. With control over a compromised account, adversaries can wreak havoc, compromise user trust, and damage brand reputation.
Recommendation
To mitigate the risk associated with CVE-2024-2643, website administrators are strongly advised to immediately update the My Sticky Bar plugin to the latest patched version. Additionally, implementing robust security measures, such as regular plugin audits, user input sanitization, and enforcing least privilege principles, can bolster defenses against similar vulnerabilities. Stay vigilant and prioritize security to safeguard your WordPress websites from emerging threats.
Stay vigilant and proactive in safeguarding your WordPress site against emerging threats like CVE-2024-2643. Your website’s security is paramount, so take action now to prevent potential exploitation.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
