WordPress plugins enhance website functionality, but they can also introduce security vulnerabilities. One such vulnerability has been discovered in the SEOPress – On-site SEO plugin, affecting over 300,000 active installations. This vulnerability, identified as CVE-2024-4899, allows contributors to exploit a Stored XSS (Cross-Site Scripting) flaw, potentially leading to the creation of unauthorized admin accounts.
| CVE | CVE-2024-4899 |
| Plugin | SEOPress < 7.8 |
| Critical | High |
| All Time | 12 340 358 |
| Active installations | 300 000+ |
| Publicly Published | June 9, 2024 |
| Last Updated | June 9, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4899 https://wpscan.com/vulnerability/15346ae9-9a29-4968-a6a9-81d1116ac448/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| May 10, 2024 | Plugin testing and vulnerability detection in the SEOPress – On-site SEO have been completed |
| May 10, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| June 9, 2024 | Registered CVE-2024-4899 |
Discovery of the Vulnerability
The vulnerability was discovered during routine security testing of the SEOPress plugin. Researcher found that contributors could inject malicious JavaScript code into the “SEO Title” field of a new post. This malicious code executes whenever an admin views the post, potentially allowing attackers to create a new admin account.
Understanding of Stored XSS attack’s
XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. In WordPress, such vulnerabilities are especially concerning because they can be used to hijack admin sessions, deface websites, or inject malicious scripts. Real-world examples include attacks on popular plugins like WP GDPR Compliance and Yoast SEO, which have previously faced similar vulnerabilities.
Exploiting the Stored XSS Vulnerability
To exploit the CVE-2024-4899 vulnerability, an attacker needs contributor access to the WordPress site. The steps to exploit are straightforward:
POC:
1) Create new Post
2) In bottom of the page put in “SEO Title” field this text – ;<img src=x onerror=alert(1)><
____
The risk posed by this vulnerability is significant, especially for sites with multiple contributors. Attackers can leverage this flaw to escalate privileges, gain full control of the website, and potentially distribute malware to site visitors. In a real-world scenario, this could lead to severe consequences, such as data breaches, defacement, and loss of user trust.
Recommendations for Improved Security
To mitigate this vulnerability and enhance overall security, the following measures are recommended:
- Update the Plugin: Ensure that the SEOPress plugin is updated to the latest version, where the vulnerability is patched.
- Limit Contributor Permissions: Restrict the permissions of contributor roles to minimize the risk of such attacks.
- Implement Input Validation: Use input validation and sanitization techniques to prevent the injection of malicious scripts.
- Regular Security Audits: Conduct regular security audits of all plugins and themes to identify and fix vulnerabilities promptly.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4899, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
