The discovery of CVE-2024-2837 has unveiled a chilling reality within WP Chat App, where a Stored XSS vulnerability lurks. This flaw permits the injection of malicious scripts, opening the floodgates to potential backdoors. Let’s delve into the depths of this digital menace. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Main info:
| CVE | CVE-2024-2837 |
| Plugin | WP Chat App < 3.6.4 |
| Critical | High |
| All Time | 979 590 |
| Active installations | 100 000+ |
| Publicly Published | April 10, 2023 |
| Last Updated | April 10, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2837 https://wpscan.com/vulnerability/91058c48-f262-4fcc-9390-472d59d61115/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| March 1, 2024 | Plugin testing and vulnerability detection in the WP Chat App plugin have been completed |
| March 1, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 10, 2024 | Registered CVE-2024-2837 |
Discovery of the Vulnerability
During meticulous plugin testing, CVE-2024-2837 emerged as a sinister threat. It enables adversaries to execute Stored XSS attacks under the guise of admin privileges, paving the way for nefarious account hijacking endeavors.
Understanding of Stored XSS attack’s
Stored XSS, a notorious adversary in the cybersecurity realm, finds a fertile ground in WordPress ecosystems. By infiltrating user-generated content, it can stealthily embed malicious scripts, leading to devastating consequences.
Exploiting the Stored XSS Vulnerability
Exploiting CVE-2024-2837 is alarmingly straightforward. Simply navigating to WP Chat App’s “Floating Widget” settings and tampering with the “titleSize” parameter can trigger a cascade of malicious actions, including unauthorized script execution.
POC:
Go to “Floating Widget” settings and try to change filed “titleSize” to this – titleSize=18″onmouseover=alert(1)//’+onmouseover=alert(1)//
____
The ramifications of this vulnerability extend far beyond theoretical constructs. With the ability to create JavaScript backdoors, threat actors could orchestrate full-scale website compromises, jeopardizing user data, trust, and organizational integrity.
Recommendations for Improved Security
To mitigate the looming threat posed by CVE-2024-2837, immediate action is imperative. Website administrators should promptly update WP Chat App to the latest patched version and enforce stringent security measures to fortify their digital fortresses against potential breaches. Vigilance, proactive monitoring, and robust security protocols are indispensable in the ongoing battle against cyber threats.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2837, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
