CVE-2024-4004 is a newly discovered Stored Cross-Site Scripting (XSS) vulnerability in the widely used WordPress plugin Advanced Cron Manager. This plugin, essential for managing WP Cron events and schedules, offers extensive functionality to WordPress site administrators. It allows them to view, search, execute, add, pause, and delete scheduled tasks, as well as customize PHP cron events. With over 30,000 installations, Advanced Cron Manager provides a streamlined approach to scheduling but, unfortunately, also introduces a vulnerability exploitable by users with access to the admin panel. This vulnerability allows attackers to inject malicious JavaScript code into the Cron Manager’s settings, potentially leading to a backdoor on the site.
| CVE | CVE-2024-4004 |
| Plugin | Advanced Cron Manager < 2.5.7 |
| Critical | Low |
| All Time | 684 892 |
| Active installations | 30 000+ |
| Publicly Published | October 31, 2024 |
| Last Updated | October 31, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4004 https://wpscan.com/vulnerability/8e5e7040-b824-4af7-90a1-90801d12abb6/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| April 5, 2024 | Plugin testing and vulnerability detection in the Advanced Cron Manager have been completed |
| April 5, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 30, 2024 | Registered CVE-2024-4004 |
Discovery of the Vulnerability
The vulnerability was identified during a routine security assessment of the Advanced Cron Manager plugin. Specifically, the issue was found in the plugin’s Add New Event feature, where arguments could be inserted without sufficient validation or encoding. The flaw allows for the insertion of crafted JavaScript code in the Add Arguments field. This code executes whenever the cron event is viewed, setting the stage for a potential JavaScript backdoor. Researchers demonstrated the vulnerability using standard XSS payloads that bypassed input sanitization due to improperly handled HTML encoding in user inputs.
Understanding of XSS attack’s
Stored Cross-Site Scripting (XSS) occurs when malicious code is saved within a web application, later to be executed within the browser of anyone viewing the affected content. In WordPress, stored XSS is especially dangerous as it allows attackers to exploit administrative pages viewed by site admins. Similar cases have been identified in other plugins, where unsanitized inputs or improperly encoded data create entry points for XSS attacks. For example, plugins managing user-generated content, comments, or file uploads are particularly vulnerable.
Advanced Cron Manager’s vulnerability is particularly impactful due to its use of AJAX requests for dynamic content management. Stored XSS can hijack these requests to run in the context of WordPress admins, making it a powerful vector for attacks like privilege escalation, account hijacking, and site compromise.
Exploiting the XSS Vulnerability
To exploit this vulnerability, attackers with access to the Cron Manager tab in the Tools Admin control panel need to follow these steps:
- Access the Add New Event tab in the Advanced Cron Manager plugin.
- Enter the necessary fields to create a new cron event.
- Insert a crafted payload in the Add Arguments field. For instance:
"><script></script><img src=x onerror=alert(document.domain)>This payload triggers a pop-up alert containing the site’s domain whenever an admin reviews cron event settings.- An alternative payload could involve exploiting cookies or other session data:
<meter value=2 min=0 max=10 onmouseover=alert(document.cookie)>2 out of 10</meter>- This payload would allow the attacker to capture session cookies or other valuable information from admin users, providing further potential for backdoor access.
____
Recommendations for Improved Security
To mitigate this and similar vulnerabilities, both developers and site administrators should follow several best practices:
- Sanitize and Validate User Inputs: Plugin developers should apply rigorous input validation and output encoding, particularly when handling user-generated data.
- Limit Access: Restrict cron management features to admin users only and avoid exposing sensitive functions to lower-privileged accounts.
- Regular Security Audits: Developers should conduct regular audits of plugins, especially those handling user inputs through AJAX.
- Update WordPress Plugins and Core: Administrators should keep plugins updated to avoid known vulnerabilities and benefit from recent security patches.
- Use Security Plugins: Plugins like Wordfence or Sucuri can detect and alert admins about malicious actions, such as unexpected cron jobs or unauthorized JavaScript.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4004, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.
