CVE-2024-5561 highlights a critical flaw in the Popup Maker plugin, a popular WordPress plugin used by over 700,000 websites to create and manage popups. This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript (JS) code. Exploited by someone with editor-level permissions, this flaw can result in complete account takeover and the creation of backdoors, leading to long-term control over the compromised WordPress site.

CVECVE-2024-5561
PluginPopup Maker < 1.19.1
CriticalHigh
All Time15 972 678
Active installations700 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5561
https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

May 28, 2024Plugin testing and vulnerability detection in the Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder have been completed
May 28, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-5561

Discovery of the Vulnerability

During routine security testing, a severe vulnerability was discovered in the Popup Maker plugin. The flaw resides in the plugin’s subscription form feature, which allows users to customize the success message that appears after a form is submitted. Through insufficient input sanitization, the “Success Message” field can be manipulated to execute malicious JavaScript code.

A proof-of-concept (PoC) demonstrated that by inserting a shortcode such as [pum_sub_form name_field_type="fullname" label_name="Name"...] into a new post and modifying the “Success Message” field in the plugin’s settings with a payload like <img src=x onerror=alert(1)>, an attacker could trigger the XSS script. When the form is submitted, the script is executed in the context of the site admin’s browser, potentially leading to account hijacking or the creation of an unauthorized admin account.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities are a common threat in WordPress, especially with the extensive use of third-party plugins. XSS allows attackers to inject and execute untrusted scripts within a trusted website. In the case of the Popup Maker plugin, the vulnerability stems from improper sanitization of user inputs within the settings field, allowing attackers to insert JavaScript that executes when the form is submitted.

Real-world examples of XSS vulnerabilities often involve attackers stealing session cookies, hijacking user accounts, or inserting scripts that can perform unauthorized actions like changing site settings or installing malware. The stored XSS vulnerability in Popup Maker is particularly dangerous because it allows attackers with editor-level access to execute scripts that could gain higher privileges, leading to site-wide compromise.

Exploiting the XSS Vulnerability

Exploiting CVE-2024-5561 involves using the plugin’s subscription form feature, combined with injecting a malicious payload into the “Success Message” field. The attacker first creates a new post with a shortcode for the subscription form, then navigates to the plugin’s settings and alters the success message to include a script like <img src=x onerror=alert(1)>. Once the message is saved, the malicious script will be executed whenever the subscription form is submitted, giving the attacker control over the admin’s session or enabling them to create backdoors.

Because the vulnerability allows the insertion of custom JavaScript, more complex payloads could be designed to steal authentication cookies, change WordPress configurations, or create additional administrator accounts. This would allow attackers to maintain persistent control over the site long after the initial exploit.

POC:

You should create new post with following shortcode - [pum_sub_form name_field_type="fullname" label_name="Name" label_email="Email" label_submit="Subscribe" placeholder_name="Name" placeholder_email="Email" form_layout="block" form_alignment="center" form_style="default" privacy_consent_enabled="yes" privacy_consent_label="Notify me about related content and special offers." privacy_consent_type="radio" privacy_consent_radio_layout="inline" privacy_consent_yes_label="Yes" privacy_consent_no_label="No" privacy_usage_text="If you opt in above we use this information send related content, discounts and other special offers."]. Go to the settings of the plugin and change "Success Message" in Subscriptions section field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)>" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The risks associated with CVE-2024-5561 are significant, especially given the high number of installations (over 700,000). Successful exploitation could lead to an attacker gaining unauthorized access to the WordPress site, creating persistent backdoors, or even defacing the site. Additionally, the site could be used to distribute malware or launch further attacks on visitors or customers.

In real-world scenarios, attackers could exploit this vulnerability to perform mass defacement or inject code that redirects users to phishing sites. For e-commerce sites, the theft of customer data and financial information is a real concern. With the ability to create new admin accounts, the attacker can continue exploiting the site without detection, making this vulnerability a serious threat for high-traffic or business-critical websites.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-5561, WordPress site administrators should immediately update the Popup Maker plugin to the latest version once a patch is available. It is crucial that the plugin developers implement input sanitization measures, ensuring that fields like the “Success Message” cannot accept or execute harmful scripts.

Additionally, administrators should review user roles and permissions, particularly for editors, and restrict the ability to use unfiltered HTML or JavaScript. Implementing a web application firewall (WAF) can further protect sites by blocking XSS attempts before they can be executed. Finally, administrators should monitor their WordPress sites for unusual activity, such as new accounts being created or settings being altered without authorization.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-5561, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-5561 – Popup Maker – Stored XSS to backdoor creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *