CVE-2024-6887 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Giveaways and Contests by RafflePress plugin, used by over 30,000 WordPress installations to run giveaways and contests. This vulnerability allows attackers to inject malicious JavaScript (JS) through the plugin’s settings. The attack can be initiated by users with editor-level access, resulting in account takeover, backdoor creation, and potentially long-term control over the affected WordPress site. The flaw resides in the plugin’s failure to properly sanitize inputs, particularly in the “Button color” field.

CVECVE-2024-6887
PluginGiveaways and Contests by RafflePress < 1.12.16
CriticalHigh
All Time456 789
Active installations30 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6887
https://wpscan.com/vulnerability/553806f4-da20-433c-8c19-35e6c87ccade/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 25, 2024Plugin testing and vulnerability detection in the Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers have been completed
June 25, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-6887

Discovery of the Vulnerability

The vulnerability was uncovered during testing of the RafflePress plugin when it was observed that the “Button color” field within the settings of a new giveaway was susceptible to XSS injection. By manipulating this field and injecting malicious JavaScript, an attacker could execute harmful scripts when an admin or editor interacted with the giveaway. The plugin failed to sanitize the input, leaving a significant attack surface for exploitation.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a well-known web vulnerability that occurs when user inputs are not properly sanitized, allowing attackers to insert malicious scripts into trusted web pages. In WordPress, XSS vulnerabilities are especially dangerous due to the platform’s reliance on plugins for added functionality. Stored XSS, in particular, allows the malicious script to be saved within the site, ready to execute when certain pages or settings are accessed.

In the case of CVE-2024-6887, the vulnerable “Button color” field allows an attacker to insert malicious JavaScript, which is then executed when an admin or editor interacts with the giveaway settings or views the contest page. This type of attack can escalate privileges, steal session cookies, or execute further malicious actions on the site, such as creating additional administrator accounts or installing persistent backdoors.

Exploiting the XSS Vulnerability

To exploit CVE-2024-6887, an attacker with editor-level access can create a new giveaway using the RafflePress plugin. By injecting malicious JavaScript into the “Button color” field, such as </style><img src=x onerror=alert(1)>, the attacker stores the script within the plugin’s settings. Once the settings are saved, the script executes whenever the page or giveaway is viewed by an admin, giving the attacker control over the admin session.

POC:

You should change "Button color" field  in settings of a new Giveaway to "Malicious JS code eval() and etc. For example </style><img src=x onerror=alert(1)>	 -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The potential risks of CVE-2024-6887 are significant, especially for sites running contests or giveaways with high user interaction. Successful exploitation can lead to an attacker gaining full control of a site, installing persistent backdoors, or stealing sensitive data such as customer information or payment details.

In a real-world scenario, an attacker could exploit this vulnerability to inject malware into a giveaway page, redirect users to phishing sites, or steal sensitive user data submitted during the contest. Furthermore, the attacker could create unauthorized admin accounts, allowing them to control the site indefinitely, making detection and remediation more difficult.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-6887, WordPress administrators should immediately update the RafflePress plugin to the latest version as soon as a patch is released. Developers must ensure that all user inputs, especially those that modify HTML and CSS attributes like the “Button color” field, are properly sanitized and validated to prevent XSS attacks.

Additionally, WordPress site owners should review the permissions assigned to editor-level users and restrict the use of unfiltered HTML or JavaScript wherever possible. Implementing security plugins that monitor for and block XSS attacks can add an extra layer of defense. Regular security audits of plugins and themes should also be performed to detect vulnerabilities before they can be exploited.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6887, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-6887 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *