WordPress plugins are a vital component of the ecosystem, providing extended functionality and customization. However, with great flexibility comes great responsibility, as plugins can introduce significant security vulnerabilities if not properly secured. One such plugin, Shortcodes Ultimate Pro, which boasts over 600,000 installations, was found to have a critical security flaw. The vulnerability, identified as CVE-2024-4217, allows a malicious actor to exploit Stored Cross-Site Scripting (XSS) to create an admin account, potentially leading to a full site takeover.

CVECVE-2024-4217
PluginShortcodes Ultimate Pro < 7.1.5
CriticalHigh
All Time20 891 292
Active installations600 000+
Publicly PublishedJune 27, 2024
Last UpdatedJune 27, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4217
https://wpscan.com/vulnerability/55cb43bf-7c8f-4df7-b4de-bf2bb1c2766d/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

April 23, 2024Plugin testing and vulnerability detection in the Shortcodes Ultimate Pro have been completed
April 23, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 27, 2024Registered CVE-2024-4217

Discovery of the Vulnerability

The vulnerability was discovered during routine testing of the Shortcodes Ultimate Pro plugin. It was found that contributors could inject malicious JavaScript code into a new post using the plugin’s shortcode feature. This flaw lies in the improper sanitization of user input in the shortcode attributes, allowing for malicious payloads to be stored and executed when viewed by an administrator.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. It allows attackers to inject malicious scripts into content that users view. When these scripts execute in the context of a logged-in user’s session, they can perform actions on behalf of that user without their consent or knowledge. In WordPress, XSS vulnerabilities often arise due to improper input validation and sanitization, particularly in plugins and themes.

Real-world examples of XSS in WordPress include scenarios where attackers can steal session cookies, deface websites, or perform actions as logged-in users. For instance, an attacker might inject a script that sends the administrator’s session cookie to a remote server, allowing the attacker to hijack the admin session.

Exploiting the Stored XSS Vulnerability

Exploiting this specific XSS vulnerability in Shortcodes Ultimate Pro involves crafting a malicious shortcode and embedding it into a post. The following Proof of Concept (POC) payload demonstrates how an attacker can inject JavaScript to trigger an alert and potentially take over an admin account:

POC:

[su_icon_panel background=”1″ color=”1″ border=”1px double 1″ shadow=”1px 2px 0px 1″ radius=”18″ text_align=”left” icon_color=”11″ icon_size=”69″ url=’123″onmouseover=”alert(1)”‘ target=”blank” class=”123″]Panel content123[/su_icon_panel]

____

When an administrator views the post containing this shortcode, the embedded script executes, potentially leading to further exploitation, such as creating a new admin account or other malicious actions.

Recommendations for Improved Security

To mitigate such vulnerabilities and enhance overall security, the following measures should be adopted:

  1. Input Validation and Sanitization: Ensure all input fields, particularly those that can include scripts or HTML, are properly sanitized and validated to prevent injection attacks.
  2. Least Privilege Principle: Limit the permissions of user roles to only what is necessary. Contributors should not have the capability to include potentially dangerous content.
  3. Regular Security Audits: Conduct regular security audits of plugins and themes to identify and address vulnerabilities.
  4. Update Plugins and Themes: Keep all plugins and themes updated to their latest versions to benefit from security patches and improvements.
  5. Security Plugins: Utilize security plugins that can provide additional layers of defense, such as firewall protection and malware scanning.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4217, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-4217 – Shortcodes Ultimate Pro – Stored XSS to Admin Account Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *