CVE-2024-6889 exposes a serious vulnerability in the Secure Copy Content Protection and Content Locking plugin, a tool used to prevent unauthorized content copying and to add protection measures on WordPress websites. With this vulnerability, attackers can leverage Stored Cross-Site Scripting (XSS) to inject malicious scripts and create backdoors, leading to full account takeover. The flaw allows editors to inject harmful JavaScript (JS) code into the plugin’s settings, potentially compromising the entire WordPress site.

CVECVE-2024-6889
PluginSecure Copy Content Protection and Content Locking < 4.1.7
CriticalHigh
All Time1 703 450
Active installations20 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6889
https://wpscan.com/vulnerability/9651abd1-0f66-418e-85a7-2de0c5e91bed/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 25, 2024Plugin testing and vulnerability detection in the Secure Copy Content Protection and Content Locking have been completed
June 25, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-6889

Discovery of the Vulnerability

The vulnerability was uncovered during routine testing of the Secure Copy Content Protection and Content Locking plugin. The flaw was found in the “Custom class for tooltip container” field in the plugin’s settings. Insecure handling of user input in this field allows attackers to embed unfiltered JavaScript, which is then executed when certain parts of the plugin are displayed on the front end.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a common vulnerability that occurs when user inputs are not properly sanitized, allowing attackers to insert and execute malicious scripts within a website. In WordPress, this issue is especially prevalent due to the extensive use of third-party plugins, each introducing potential security gaps.

In the case of CVE-2024-6889, the vulnerability lies in the plugin’s failure to validate the content entered into the tooltip container field. This field was not meant to handle JavaScript, but due to improper sanitization, an attacker can exploit this oversight to inject harmful scripts. When these scripts execute, they can hijack sessions, steal credentials, or even elevate privileges to create new administrator accounts, ultimately leading to full site compromise.

Exploiting the Stored XSS Vulnerability

Exploiting CVE-2024-6889 requires an attacker to have editor-level access or higher, as the vulnerability resides in a plugin setting accessible from the WordPress dashboard. To initiate the attack, the attacker enters a malicious script into the “Custom class for tooltip container” field. A simple payload like 123"</style><img src=x onerror=alert(1)> would trigger an alert, but in more sophisticated attacks, the script could silently create an admin account, install a backdoor, or perform other damaging actions.

POC:

You should change "Custom class for tooltip container" field  in settings to "Malicious JS code eval() and etc. For example 123"</style><img src=x onerror=alert(1)>	 -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The potential impact of CVE-2024-6889 is considerable, especially given the widespread use of the Secure Copy Content Protection and Content Locking plugin. In real-world scenarios, an attacker could exploit this vulnerability to inject a malicious script that creates an admin account without the legitimate site owner’s knowledge. The attacker could then use this access to modify the site’s content, steal sensitive data, or even take the site offline.

Another real-world application of this attack could be the distribution of malware through the compromised site. Attackers could redirect visitors to malicious websites, steal login credentials, or insert harmful scripts that target users’ browsers. The ability to create a persistent backdoor makes this vulnerability particularly dangerous, as the attacker could maintain control over the site long after the initial exploit.

Recommendations for Improved Security

To mitigate the risk of CVE-2024-6889, it is crucial that site administrators update the Secure Copy Content Protection and Content Locking plugin to the latest version as soon as a patch is released. Plugin developers must also ensure that all user inputs are properly sanitized, particularly in fields that allow customization of HTML or CSS.

In addition to updating plugins, site administrators should limit the permissions granted to editor roles, especially when it comes to inserting unfiltered HTML or JavaScript. It is advisable to use security plugins that monitor and block XSS attempts, as well as performing regular security audits to detect vulnerabilities before they can be exploited.

Finally, implementing a web application firewall (WAF) can provide an additional layer of protection by blocking malicious requests before they reach the WordPress environment. Regularly reviewing user roles and permissions, as well as employing two-factor authentication, can further reduce the risk of account takeovers.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6889, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-6889 – Secure Copy Content Protection and Content Locking – Stored XSS to Backdoor Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *