A critical vulnerability, CVE-2024-2729, found in Otter Blocks, a popular WordPress plugin with over 300,000 installations, poses a significant risk to website security. This exploit allows attackers to execute malicious JavaScript code, potentially leading to the creation of admin accounts.
Main info:
| CVE | CVE-2024-2729 |
| Plugin | Otter Blocks < 2.6.6 |
| Critical | High |
| All Time | 7 072 287 |
| Active installations | 300 000+ |
| Publicly Published | March 25, 2023 |
| Last Updated | March 25, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2729 https://wpscan.com/vulnerability/5014f886-020e-49d1-96a5-2159eed8ba14/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| March 15, 2023 | Plugin testing and vulnerability detection in the Otter Blocks plugin have been completed |
| March 15, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 25, 2024 | Registered CVE-2024-2729 |
Discovery of the Vulnerability
During routine testing, security researchers uncovered a flaw in Otter Blocks that enables the injection of stored cross-site scripting (XSS) payloads via the creation of new posts. This vulnerability grants contributors the ability to execute arbitrary code, including the creation of admin accounts.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when user input is improperly sanitized and stored by a web application, allowing attackers to inject malicious scripts. In WordPress, this often happens through plugins or themes that fail to adequately filter user-generated content.
Exploiting the Stored XSS Vulnerability
Exploiting CVE-2024-2729 involves creating a new post and inserting a crafted payload into the content field. By leveraging this vulnerability, attackers can execute arbitrary JavaScript, potentially gaining unauthorized access to admin privileges.
POC:
Create a new post and put here “wp:themeisle-blocks/review” block. Change “mainHeading” to XSS payload
___
The ramifications of this vulnerability are severe. Attackers could hijack admin accounts, compromising entire WordPress installations. They may deface websites, steal sensitive data, or launch further attacks, posing a significant risk to site owners and users.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2024-2729, site administrators are advised to update Otter Blocks to the latest patched version immediately. Additionally, regular security audits and thorough code reviews are crucial for identifying and addressing vulnerabilities in WordPress plugins and themes.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2729, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
