WPForms, one of the most popular WordPress plugins for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-7056. This flaw allows attackers with editor privileges to inject malicious JavaScript code into the plugin’s settings, which could then be executed when interacting with the form. The vulnerability can lead to account takeover and backdoor creation, posing significant risks to WordPress websites using WPForms. With over 6 million active installations, this vulnerability affects a vast number of websites, making it a serious concern.
| CVE | CVE-2024-7056 |
| Plugin | WPForms < 1.9.1.6 |
| Critical | High |
| All Time | 245 121 243 |
| Active installations | 6 000 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7056 https://wpscan.com/vulnerability/467af13e-25bd-425c-929d-5dd06e28d595/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 15, 2024 | Plugin testing and vulnerability detection in the WPForms have been completed |
| June 15, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-7056 |
Discovery of the Vulnerability
The vulnerability was discovered during a thorough security assessment of the WPForms plugin. It was found that the plugin fails to properly sanitize input in the “Required” parameter field within the “Validation” section of form settings. This flaw allows an attacker with editor-level privileges to insert malicious JavaScript into the form’s validation settings. Since WPForms does not sanitize this field properly, any malicious code entered here is stored and executed when the form is interacted with. The ability to execute arbitrary JavaScript on a site provides an attacker with the potential to steal session cookies, manipulate form submissions, or gain access to administrative privileges.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are among the most prevalent security flaws in web applications. XSS occurs when an attacker can inject malicious scripts into web pages viewed by other users. These scripts can be used for a variety of malicious purposes, including stealing sensitive data, hijacking user sessions, and escalating privileges. In the context of WordPress, XSS is commonly found in plugins and themes that allow user-generated content, such as comments, posts, and form fields.
Exploiting the XSS Vulnerability
To exploit CVE-2024-7056, an attacker with editor-level privileges can navigate to the WPForms settings and insert a malicious payload such as <img src=x onerror=alert(1)>
POC:
Go to Settings Insert the payload into the Required parameter in Validation section PoC payload: <img src=x onerror=alert(1)>____
The potential risks associated with CVE-2024-7056 are substantial. If exploited, an attacker could use the injected script to steal sensitive user information, such as login credentials, by capturing session cookies or executing phishing attacks. In a more severe scenario, the attacker could escalate their privileges, creating a backdoor admin account and gaining full control over the site. Once in control, the attacker could modify form data, redirect users to malicious sites, or use the site as a platform for further attacks. This type of vulnerability is particularly dangerous for websites that handle sensitive data, such as e-commerce sites, membership portals, or sites with user-generated content. The attack could also serve as a stepping stone for further exploitation, potentially compromising the entire WordPress installation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-7056, it is essential for WordPress administrators to update WPForms to the latest version as soon as a patch is released. Administrators should also review user permissions, ensuring that non-admin users (such as editors) do not have access to sensitive settings that could lead to XSS vulnerabilities. The plugin should sanitize all user inputs, particularly in form validation fields, to prevent the injection of malicious scripts. Additionally, administrators should restrict the unfiltered_html capability for non-trusted users and use security plugins to scan for vulnerabilities in WordPress plugins and themes. Implementing a Content Security Policy (CSP) can also help mitigate the impact of any successful XSS attacks by blocking untrusted scripts from executing. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7056, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
