CVE-2024-6158 highlights a critical vulnerability in the popular Category Posts Widget plugin, which is available in both Free and PRO versions. With over 50,000 active installations, this plugin is widely used to enhance content display in WordPress sites by allowing the customization of category-based posts through widgets. However, during a routine security audit, researchers discovered a severe stored XSS vulnerability that could lead to account takeovers and even the creation of backdoors, especially when exploited by users with certain privileges.

CVECVE-2024-6158
PluginCategory Posts Widget (Free < 4.9.17, Pro < 4.9.13)
CriticalHigh
All Time4 706 000
Active installations50 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6158
https://wpscan.com/vulnerability/8adb219f-f0a6-4e87-8626-db26e300c220/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 5, 2024Plugin testing and vulnerability detection in the Category Posts Widget have been completed
June 5, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-6158

Discovery of the Vulnerability

During a routine security audit, the vulnerability in the Category Posts Widget plugin was uncovered. The flaw was found in the widget’s template customization feature, where insufficient input validation allowed the execution of untrusted scripts. A proof-of-concept (PoC) was demonstrated by creating a new “Category Posts” widget and modifying the “Template” field with %more-link%. Next, the “Read more” field was injected with a malicious JavaScript payload, such as <img src=x onerror=alert(1)>. This payload would execute when any admin or user with sufficient permissions viewed the widget, leading to a potential backdoor or account compromise.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a prevalent web vulnerability where malicious actors inject untrusted scripts into trusted websites. In WordPress, this issue can be especially damaging due to the platform’s widespread use and reliance on plugins to extend functionality. Typically, XSS occurs when user-supplied input is not properly sanitized or escaped, allowing scripts to be executed in the context of another user’s browser. In the case of CVE-2024-6158, this is exactly what happens: the plugin fails to filter harmful inputs, and because WordPress allows certain roles (such as admins and editors) to use unfiltered HTML and JavaScript, the scope for exploitation increases.

Real-world examples of XSS vulnerabilities in WordPress plugins often involve scenarios where attackers steal session cookies, redirect users to phishing sites, or even use XSS to elevate privileges. With CVE-2024-6158, an attacker could exploit the plugin’s flawed design to take control of an admin account, potentially implanting further malicious code, such as PHP-based backdoors that grant persistent access to the compromised site.

Exploiting the Stored XSS Vulnerability

Exploiting this XSS vulnerability is relatively simple. Once an attacker gains access to an editor or admin account, they can create a new “Category Posts” widget and inject malicious JavaScript into the widget’s fields. By adding %more-link% to the “Template” field and replacing the “Read more” field with a script such as <img src=x onerror=alert(1)>, the attacker effectively implants the XSS payload. When the widget is viewed or previewed by another user with administrative access, the script is executed, leading to an alert popup, which is just a proof-of-concept for testing. In a real-world scenario, more sophisticated payloads could be used, such as commands to steal cookies, gain access to WordPress credentials, or perform actions like creating additional admin accounts for future exploitation.

POC:

You should create new "Category Posts" widget. Firstly, you should add %more-link% to "Template" field and change "Read more" field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)>" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The potential risk of this vulnerability is significant. WordPress plugins are integral to website functionality, and a vulnerability like CVE-2024-6158 can have far-reaching consequences. If exploited, attackers could hijack admin accounts and install backdoors, gaining persistent access to the WordPress environment. This allows for unauthorized data access, file manipulation, or full control over the website. In extreme cases, the website could be used as a platform to spread malware or launch further attacks on users visiting the compromised site. Moreover, the flaw could also be exploited in targeted attacks, where specific high-profile WordPress sites are compromised to gain access to sensitive data or spread misinformation.

Recommendations for Improved Security

To mitigate the risk posed by vulnerabilities like CVE-2024-6158, several steps should be taken. First, WordPress administrators should ensure that plugins are regularly updated to their latest versions. Plugin developers should rigorously test for input sanitization and apply appropriate filtering mechanisms to user-supplied content, particularly in areas like template fields or any section that handles custom code. Additionally, restricting the use of unfiltered HTML or JavaScript, particularly for non-administrative users, can minimize the risk of XSS exploitation. Finally, site owners should implement a robust web application firewall (WAF) to detect and block malicious scripts attempting to exploit known vulnerabilities.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6158, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-6158 – Category Posts Widget (Free and PRO) – Stored XSS to backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *