CVE-2024-3261 exposes a critical vulnerability within the Strong Testimonials plugin, allowing attackers to execute Stored XSS attacks, thereby compromising admin accounts. Understanding its implications and securing WordPress installations becomes paramount.
Main info:
| CVE | CVE-2024-3261 |
| Plugin | Strong Testimonials < 3.1.12 |
| Critical | High |
| All Time | 3 226 627 |
| Active installations | 100 000+ |
| Publicly Published | March 25, 2023 |
| Last Updated | March 25, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3261 https://wpscan.com/vulnerability/5a0d5922-eefc-48e1-9681-b63e420bb8b3/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| March 18, 2024 | Plugin testing and vulnerability detection in the Strong Testimonials plugin have been completed |
| January 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 25, 2024 | Registered CVE-2024-3261 |
Discovery of the Vulnerability
During rigorous plugin testing, researchers uncovered a flaw in Strong Testimonials, enabling malicious actors to inject JavaScript code through testimonials. This exploit facilitated admin account creation through Stored XSS.
Understanding of Stored XSS attack’s
During rigorous plugin testing, researchers uncovered a flaw in Strong Testimonials, enabling malicious actors to inject JavaScript code through testimonials. This exploit facilitated admin account creation through Stored XSS.
Exploiting the Stored XSS Vulnerability
In the case of CVE-2024-3261, attackers craft testimonials containing malicious JavaScript code. Upon rendering, the injected code triggers, enabling unauthorized admin account creation. Attackers can exploit this flaw by crafting seemingly harmless testimonials with malicious payloads.
POC:
Create a new Testimonial and intercept request. Put payload to “Full Name” field – 123″onmouseover=’alert(1)’. For PoC you should create a view of Testimonials and change “Display Type” to “link(must be URL type)” in “Custom Field” setting
___
In the case of CVE-2024-3261, attackers craft testimonials containing malicious JavaScript code. Upon rendering, the injected code triggers, enabling unauthorized admin account creation. Attackers can exploit this flaw by crafting seemingly harmless testimonials with malicious payloads.
Recommendation
To mitigate the risk posed by CVE-2024-3261 and similar vulnerabilities:
- Update the Strong Testimonials plugin to the latest secure version immediately.
- Regularly audit and sanitize user inputs to prevent XSS vulnerabilities.
- Implement strict content security policies (CSP) to mitigate the impact of XSS attacks.
- Educate users and administrators about the risks of XSS and encourage best practices for secure coding and plugin usage.
Stay vigilant and proactive in safeguarding your WordPress site against emerging threats like CVE-2024-3261. Your website’s security is paramount, so take action now to prevent potential exploitation.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
