A critical security flaw has been discovered in the widely-used WordPress plugin, All in One SEO with more then 3 millions installations, marked as CVE-2024-3368. This vulnerability poses a significant threat, allowing attackers to execute malicious code through Stored Cross-Site Scripting (XSS) attacks, potentially leading to the creation of admin accounts by contributors.

CVECVE-2024-3368
PluginAll in One SEO < 4.6.1.1
CriticalVery High
All Time147 495 153
Active installations3 000 000+
Publicly PublishedApril 29, 2023
Last UpdatedApril 29, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3368
https://wpscan.com/vulnerability/ab78b1a5-e28c-406b-baaf-6d53017f9328/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

April 3, 2024Plugin testing and vulnerability detection in the All in One SEO have been completed
April 3, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 29, 2024Registered CVE-2024-3368

Discovery of the Vulnerability

During routine testing, security researchers identified a vulnerability in the All in One SEO plugin that enables contributors to execute arbitrary JavaScript code within the context of a WordPress post. This flaw grants unauthorized access to admin privileges, putting millions of websites at risk of compromise.

Understanding of Stored XSS attack’s

Stored XSS occurs when user-supplied data is stored on a server and later displayed on a web page without proper validation. In the case of WordPress, attackers can exploit this vulnerability by injecting malicious code into posts, comments, or metadata fields, leading to unauthorized actions or data theft.

Exploiting the Stored XSS Vulnerability

By leveraging the vulnerability in All in One SEO, attackers can craft a malicious post containing JavaScript code and inject it into the SEO section. When administrators or other users interact with the compromised content, the malicious script executes, potentially resulting in the creation of admin accounts, data theft, or further exploitation.

POC:

Create a new Post and add here “https://123.123″asdasd=”;alert(1);<img src=x onerror=alert(1)>” to the SEO section

____

With over 3 million active installations, the CVE-2024-3368 vulnerability in All in One SEO poses a severe risk to WordPress websites globally. Attackers could exploit this flaw to gain unauthorized access, deface websites, steal sensitive information, or distribute malware, causing significant harm to site owners and visitors.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2024-3368 and similar vulnerabilities, WordPress site owners are urged to update the All in One SEO plugin to the latest patched version immediately. Additionally, regular security audits, robust access controls, and the implementation of web application firewalls (WAFs) can help safeguard against XSS attacks and other security threats.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3368, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-3368 – All in One SEO – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC

6 thoughts on “CVE-2024-3368 – All in One SEO – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC

Leave a Reply

Your email address will not be published. Required fields are marked *