CVE-2024-3635 represents a critical Stored Cross-Site Scripting (XSS) vulnerability in The Post Grid plugin, a popular tool for creating custom grid layouts in WordPress. With over 100,000 installations, this vulnerability poses a serious threat as it allows attackers with editor-level permissions to inject malicious JavaScript (JS) code into grid settings. Once exploited, the vulnerability can lead to account takeover, enabling attackers to create persistent backdoors and take control of the WordPress site.
| CVE | CVE-2024-3635 |
| Plugin | The Post Grid < 7.5.0 |
| Critical | High |
| All Time | 2 157 789 |
| Active installations | 100 000+ |
| Publicly Published | August 31, 2024 |
| Last Updated | August 31, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3635 https://wpscan.com/vulnerability/63cbe5f4-fe0f-499f-a964-cf4fbedcfa25/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| May 4, 2024 | Plugin testing and vulnerability detection in the The Post Grid have been completed |
| May 4, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 31, 2024 | Registered CVE-2024-3635 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of The Post Grid plugin’s “Add New Grid” settings. The flaw lies in the “Parent class” field, which does not properly sanitize user input. As a result, an attacker can inject JavaScript into this field, leading to the execution of the script whenever the grid is viewed or edited by a privileged user.
A proof-of-concept (PoC) demonstrated how an attacker could modify the “Parent class” field with the following payload: 123"gkgjh='' onmouseover='alert(1)'. Once saved, the script is triggered whenever an admin or editor hovers over the affected element, enabling further exploitation such as account hijacking, site manipulation, or the creation of persistent backdoors.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a well-known web vulnerability that occurs when applications fail to properly sanitize user inputs. In WordPress, XSS vulnerabilities are particularly dangerous because they allow attackers to inject and execute untrusted scripts within trusted web environments. Stored XSS, as seen in CVE-2024-3635, is even more harmful because the malicious script is permanently stored in the backend and executed whenever an admin or editor interacts with the compromised data.
For example, attackers exploiting XSS vulnerabilities can hijack user sessions, steal authentication cookies, or escalate their privileges. In the context of WordPress plugins like The Post Grid, XSS can be used to execute malicious scripts that take over administrator accounts or introduce backdoors that give the attacker persistent access to the site.
Exploiting the XSS Vulnerability
To exploit CVE-2024-3635, an attacker with editor-level access can navigate to the “Add New Grid” settings in The Post Grid plugin and inject a malicious script into the “Parent class” field. For instance, inserting a payload like 123"gfhk='' onmouseover='alert(1)' causes the script to execute when the grid is viewed or edited by an admin.
POC:
Go to "Add New Grid" settings and try to change filed "Parent class" to this - 123"asdasd='' onmouseover='alert(1)'____
The risks posed by CVE-2024-3635 are severe, especially for websites that rely on The Post Grid plugin to display custom content layouts. Successful exploitation could lead to account hijacking, allowing attackers to take full control of the site and compromise sensitive information. Additionally, the creation of backdoors enables attackers to maintain long-term access, making it difficult for site administrators to detect and remove the exploit.
In a real-world scenario, an attacker could use this vulnerability to insert malicious scripts that redirect site visitors to phishing pages or install malware on their devices. E-commerce sites are particularly vulnerable, as attackers could steal customer data, compromise payment information, or manipulate product listings. The ease of exploitation, combined with the widespread use of The Post Grid plugin, makes this vulnerability a prime target for attackers seeking to compromise high-traffic WordPress sites.
Recommendations for Improved Security
To mitigate the risk of CVE-2024-3635, it is crucial that WordPress site administrators update The Post Grid plugin to the latest version as soon as a patch is available. Plugin developers should implement strict input validation and sanitization, particularly in fields like the “Parent class” field, to prevent XSS vulnerabilities.
Additionally, administrators should review and limit the permissions assigned to editor-level users, restricting their ability to insert unfiltered HTML or JavaScript. Installing security plugins that monitor for XSS attempts and block malicious scripts can add an extra layer of defense. Regular security audits of WordPress plugins and theme configurations can also help identify and patch vulnerabilities before they can be exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3635, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
