In the diverse world of WordPress plugins, security vulnerabilities are a persistent concern for website administrators. The latest discovery, CVE-2024-4090, within the popular My Sticky Bar plugin, highlights this ongoing challenge. This vulnerability enables Stored Cross-Site Scripting (XSS) attacks, putting website integrity and user trust at significant risk.
| CVE | CVE-2024-4090 |
| Plugin | My Sticky Bar < 2.7.2 |
| Critical | Low |
| All Time | 2 934 584 |
| Active installations | 100 000+ |
| Publicly Published | July 18, 2024 |
| Last Updated | July 18, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4090/ https://wpscan.com/vulnerability/aedcb986-0f2b-4852-baf1-6cb61e83e109/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| April 11, 2024 | Plugin testing and vulnerability detection in the My Sticky Bar have been completed |
| April 11, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 18, 2024 | Registered CVE-2024-3996 |
Discovery of the Vulnerability
During routine testing of the My Sticky Bar plugin, security researchers uncovered a vulnerability that allows administrators to embed malicious scripts. This vulnerability, once exploited, could result in severe consequences such as account hijacking. The vulnerability resides in the plugin’s ability to handle input fields, particularly in the “Bar Test (Static Text)” panel, where improper sanitization allows malicious scripts to bypass security measures.
Understanding of Stored XSS attack’s
Cross-Site Scripting (XSS) is a prevalent threat in web applications where an attacker injects malicious scripts into content that other users will view. For example, an XSS vulnerability was exploited on a well-known blog platform, allowing attackers to redirect visitors to fraudulent websites.
Exploiting the Stored XSS Vulnerability
To exploit the CVE-2024-4090 vulnerability in the My Sticky Bar plugin, follow these steps:
POC:
- Go to the My Sticky Bar Panel: Log in to your WordPress site with a contributor account and navigate to the My Sticky Bar panel.
- Quick Action Pencil Button: On the dashboard, click the pencil button in the Quick Action section.
- Enter Malicious Payload: In the “Bar Test (Static Text)” panel, input the following payload: “><script></script><img src=x onerror=alert(document.domain)>
____
The above payload will be executed whenever a user visits the affected page, potentially leading to malicious actions such as alert pop-ups or more sophisticated attacks like cookie theft
Recommendations for Improved Security
To mitigate this threat and enhance security:
- Update Promptly: Users should immediately update to the latest version of the plugin, which presumably contains patches for the vulnerability.
- Sanitization and Validation: Developers must ensure all user inputs are adequately sanitized and validated on both the client and server sides.
- Regular Audits: Regular security audits and penetration tests should be conducted to detect and rectify similar vulnerabilities.
- User Permissions: Limit the ability of users to insert HTML or JavaScript content within sensitive fields unless absolutely necessary.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4090, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
