CVE-2024-5578 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Table of Contents Plus plugin, widely used in WordPress for creating table of contents sections within posts and pages. With over 300,000 installations, this plugin is a valuable tool for content-heavy websites. However, this vulnerability allows attackers to embed malicious JavaScript code within the plugin’s settings, specifically in the “Hide text” field. If exploited, this vulnerability can lead to backdoor creation, admin account takeover, and long-term control of the WordPress site.

CVECVE-2024-5578
PluginTable of Contents Plus <= 2408
CriticalHigh
All Time3 456 689
Active installations300 000+
Publicly PublishedOctober 15, 2024
Last UpdatedOctober 15, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5578
https://wpscan.com/vulnerability/641e4fc3-4214-4c2e-8245-15e9dcdd37b4/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

May 15, 2024Plugin testing and vulnerability detection in the  Table of Contents Plus have been completed
May 15, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
October 15, 2024Registered CVE-2024-5578

Discovery of the Vulnerability

The vulnerability was discovered during security testing when it was observed that the “Hide text” field in the Table of Contents Plus settings lacks proper input sanitization. This flaw permits attackers to inject harmful JavaScript, which executes whenever a privileged user, such as an admin, interacts with a post containing the table of contents.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities occur when applications fail to sanitize user input, enabling attackers to inject malicious scripts into a webpage. Stored XSS, as found in CVE-2024-5578, is particularly dangerous because the injected code is saved in the site’s database and triggered whenever the affected element is accessed.

In WordPress, XSS vulnerabilities are significant because they can lead to account hijacking, data theft, and privilege escalation. For instance, in the Table of Contents Plus plugin, attackers can inject JavaScript into the “Hide text” field, which executes when the table of contents is displayed. Similar XSS vulnerabilities in WordPress plugins have led to compromised sites, data breaches, and even malware distribution.

Exploiting the XSS Vulnerability

To exploit CVE-2024-5578, an attacker with editor-level permissions needs to modify the “Hide text” field in the plugin’s settings, using a payload such as:

POC:

You should create new post with two more heading. Go to the settings of the plugin and change "Hide text" field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)>" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The risks associated with CVE-2024-5578 are substantial. A successful exploitation can result in admin account hijacking, allowing the attacker to gain full control over the site. High-traffic websites using Table of Contents Plus for structured content could be particularly vulnerable, as attackers may use this access to alter site content, redirect visitors to malicious sites, or steal sensitive information.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-5578, WordPress administrators should delete the Table of Contents Plus plugin. Developers must implement proper input sanitization for fields such as the “Hide text” field to prevent the insertion of JavaScript and other potentially harmful code.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-5578, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2024-5578 – Table of Contents Plus – Stored XSS to Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *