In the ever-evolving landscape of web security, vulnerabilities in popular plugins pose significant risks to website integrity. One such critical vulnerability has been discovered in the Lightbox & Modal Popup WordPress Plugin – FooBox, identified as CVE-2024-3276. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to execute malicious scripts, leading to severe consequences such as backdoor creation and account takeovers.
| CVE | CVE-2024-3276 |
| Plugin | FooBox (Free and Premium) < 2.7.28 |
| Critical | High |
| All Time | 2 340 358 |
| Active installations | 100 000+ |
| Publicly Published | June 9, 2024 |
| Last Updated | June 9, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3276 https://wpscan.com/vulnerability/996d3247-ebdd-49d1-a1a3-ceedcf9f2f95/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| March 19, 2024 | Plugin testing and vulnerability detection in the Lightbox & Modal Popup WordPress Plugin – FooBox have been completed |
| March 19, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| June 9, 2024 | Registered CVE-2024-3276 |
Discovery of the Vulnerability
During a routine security assessment, a vulnerability was identified in FooBox that permits Stored XSS attacks. The flaw was found within the plugin’s settings, specifically in the “Specific CSS classes” field. By injecting a crafted payload, an attacker could exploit this vulnerability to execute arbitrary JavaScript code on behalf of an editor. This discovery highlights the importance of thorough security testing, even in widely-used and trusted plugins.
Understanding of Stored XSS attack’s
Cross-Site Scripting (XSS) is a common web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. In WordPress, XSS vulnerabilities are particularly dangerous due to the platform’s widespread use and the elevated privileges of user roles like editors and administrators. For instance, if an attacker gains access to an editor account, they can embed malicious scripts that execute whenever the affected page is loaded.
Real-world examples of XSS in WordPress include scenarios where attackers steal cookies, session tokens, or other sensitive information, hijack user sessions, or perform actions on behalf of the victim without their knowledge. The CVE-2024-3276 vulnerability in FooBox is a prime example of how XSS can be leveraged for malicious purposes.
Exploiting the Stored XSS Vulnerability
Exploiting the CVE-2024-3276 vulnerability involves injecting a malicious script into the “Specific CSS classes” field within the FooBox plugin settings. Here is a step-by-step outline of how the exploit can be carried out:
POC:
Go to settings an change “Specific CSS classes” field to 123″</script><img src=x onerror=alert(1)>alert(1) (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
The primary risk associated with this vulnerability is the potential for complete site compromise through backdoor creation. If an attacker can inject a script that creates an administrative account, they gain full control over the site. Real-world scenarios include:
- Data Theft: Accessing and exfiltrating sensitive data stored within the WordPress site.
- Defacement: Altering the site’s appearance or content to deliver malicious messages or damage the site’s reputation.
- Further Exploitation: Using the compromised site to launch attacks on visitors or other connected systems.
Given the high number of active installations of FooBox, the impact of this vulnerability can be extensive, affecting numerous websites globally.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-3276, several security measures are recommended:
- Apply Patches and Updates: Ensure that all plugins, including FooBox, are updated to the latest versions where vulnerabilities have been patched.
- Sanitize Inputs: Developers should implement strict input validation and output encoding to prevent malicious scripts from being processed.
- Least Privilege Principle: Limit the use of high-privilege accounts. Editors and other users should only have the necessary permissions for their roles.
- Disable Unfiltered HTML: Administrators should disable the
unfiltered_htmlcapability for all roles to prevent the injection of arbitrary scripts. - Security Audits: Regularly conduct security audits and penetration tests to identify and address vulnerabilities proactively.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3276, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
