A critical security vulnerability CVE-2024-3939 was discovered in the WordPress plugin Ditty, which was downloaded by more than 40k users. This vulnerability exposes websites to the risk of attacks using stored cross-site scripting (XSS), which can potentially lead to account hijacking and violation of the integrity of the website. (if an attacker has previously hacked into an administrator or editor account, they can use the backdoor to restore access)
Main info:
CVE | CVE-2024-3939 |
Plugin | Ditty < 3.1.36 |
Critical | High |
All Time | 2 289 865 |
Active installations | 40 000+ |
Publicly Published | May 6, 2024 |
Last Updated | May 6, 2024 |
Researcher | Artyom Krugov |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3939/ https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/ |
Plugin Security Certification by CleanTalk | |
Logo of the plugin |
Timeline
March 26, 2024 | Plugin testing and vulnerability detection in the Ditty plugin have been completed |
March 26, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
May 6, 2024 | Registered CVE-2024-3939 |
Discovery of the Vulnerability
During testing of the Ditty plugin, security researchers identified a vulnerability in the control panel’s Add New tab > Add Default section. Fields such as Content, Link, Link Title, and Label were found to be vulnerable, enabling Stored XSS attacks by injecting malicious short code into new publications. This discovery raises serious concerns about the plugin’s security posture and its impact on WordPress sites.
Understanding of Stored XSS attack’s
Stored XSS, or Persistent XSS, poses a significant risk to WordPress sites by allowing attackers to inject malicious code that persists across sessions. Examples include injecting code into form fields or comment sections, which, when executed, can lead to account hijacking, data theft, or malware distribution. In the case of Ditty, attackers can exploit this vulnerability to create a backdoor, compromising the security of affected websites..
Exploiting the Stored XSS Vulnerability
Exploiting the Stored XSS vulnerability in Ditty involves inserting malicious code into vulnerable fields, such as Content, Link, Link Title, and Label. Attackers can craft payloads containing JavaScript code to steal user cookies, redirect users to malicious sites, or perform actions on compromised accounts. Despite filtering attempts by the plugin, attackers can bypass these measures by encoding HTML characters, enabling successful exploitation of the vulnerability.
POC:
it was possible to detect a vulnerability in the control panel of the Add New tab > Add Default. There are fields in the settings that are vulnerable: Content, Link, Link Title, Lable. Payload:
"><script></script><img src=x onerror=alert(Malicious payload)>____
The exploitation of CVE-2024-3939 in Ditty poses severe risks to WordPress sites and their users. Attackers can leverage the vulnerability to launch convincing phishing attacks, compromising user accounts and website integrity. Additionally, the ability to create a backdoor through Stored XSS opens the door to further exploitation, including data exfiltration and malware distribution, leading to reputational damage and financial loss.
Recommendations for Improved Security
Website administrators and WordPress users are strongly advised to update the Ditty to the latest patched version immediately. Additionally, developers should prioritize implementing robust input validation and output sanitization mechanisms within their plugins to mitigate the risk of XSS vulnerabilities. Regular security audits and proactive monitoring can also help identify and address potential security issues before they are exploited by malicious actors.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3939, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.