Genesis Blocks, a popular WordPress plugin, harbors a critical vulnerability, CVE-2024-2761, allowing Contributor-level users to execute Stored XSS attacks, potentially leading to unauthorized admin account creation. Let’s delve into the details of this security flaw.
Main info:
| CVE | CVE-2024-2761 |
| Plugin | Genesis Blocks < 3.1.3 |
| Critical | High |
| All Time | 1 343 772 |
| Active installations | 100 000+ |
| Publicly Published | March 25, 2023 |
| Last Updated | March 25, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2761 https://wpscan.com/vulnerability/e092ccdc-7ea1-4937-97b7-4cdbff5e74e5/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| March 12, 2023 | Plugin testing and vulnerability detection in the Genesis Blocks plugin have been completed |
| March 12, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 25, 2024 | Registered CVE-2024-2761 |
Discovery of the Vulnerability
During routine testing of the Genesis Blocks plugin, security researchers uncovered a critical vulnerability. Through careful analysis, they identified a flaw that allows attackers to inject malicious JavaScript code via a new post, exploiting the Stored XSS vulnerability.
Understanding of Stored XSS attack’s
Stored XSS vulnerabilities occur when user input is improperly validated and stored on a website. In WordPress, plugins like Genesis Blocks are susceptible to such attacks, enabling threat actors to execute arbitrary scripts within the context of the site.
Real-world examples of Stored XSS attacks include injecting malicious code into input fields, comments, or posts. Once executed, these scripts can hijack user sessions, steal sensitive data, or even create admin accounts for attackers.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2024-2761, attackers can create a new post within WordPress and insert crafted payloads containing malicious JavaScript code. This code is then executed when the post is viewed by site visitors, potentially leading to unauthorized access and admin account creation.
POC:
You should create new Post with “wp:genesis-blocks/gb-post-grid” block. After creation you should put payload to “postTitleTag” filed
___
The risk associated with CVE-2024-2761 is significant. Malicious actors could leverage this vulnerability to compromise admin accounts, gain unauthorized access to sensitive information, deface websites, or launch further attacks against site visitors.
Real-world scenarios include attackers embedding phishing forms, distributing malware, or redirecting users to malicious websites, thereby jeopardizing the integrity and security of affected WordPress sites.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2024-2761 and similar vulnerabilities, WordPress site owners are urged to:
- Update the Genesis Blocks plugin to the latest patched version immediately.
- Regularly monitor for security advisories and apply patches promptly.
- Implement robust input validation and sanitization mechanisms.
- Educate users on the importance of strong passwords and account security.
- Consider using security plugins or services to enhance website defenses against XSS attacks.
Stay vigilant and proactive in safeguarding your WordPress site against emerging threats like CVE-2024-2761. Your website’s security is paramount, so take action now to prevent potential exploitation.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
