CVE-2024-7132 exposes a critical flaw in the CoBlocks plugin, a widely used WordPress extension with over 400,000 installations. This Stored XSS vulnerability can be exploited by contributors to embed malicious JavaScript code within posts, leading to unauthorized actions, including the creation of admin accounts. The vulnerability highlights the significant security risks associated with improper input validation in WordPress plugins, particularly in environments where user roles and permissions are not tightly controlled.

CVECVE-2024-7132
PluginCoBlocks < 3.1.13
CriticalHigh
All Time22 303 450
Active installations400 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7132
https://wpscan.com/vulnerability/16deb743-6fe9-43a2-9586-d92cfe1daa17/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

July 19, 2024Plugin testing and vulnerability detection in the CoBlocks have been completed
July 19, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-7132

Discovery of the Vulnerability

During a penetration test of the CoBlocks plugin, a vulnerability was discovered that allows contributors—users typically granted limited permissions—to inject and execute malicious JavaScript code within WordPress posts. The vulnerability is located within the “Post Carousel” block, which allows users to showcase post content in a rotating format. The block fails to properly sanitize input when a new post is created, allowing attackers to inject XSS payloads such as <img src=x onerror=alert(1)>.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is one of the most commonly exploited vulnerabilities in WordPress, especially through third-party plugins like CoBlocks. XSS vulnerabilities occur when input fields, such as those used to create posts or blocks, are not sufficiently sanitized, allowing attackers to insert and execute scripts in the browser of unsuspecting users. These scripts can be used to steal sensitive information, hijack sessions, or escalate privileges.

In the case of CoBlocks, contributors—typically a lower-privileged user role—are able to inject JavaScript into the “Post Carousel” block due to insufficient sanitization. When a site administrator views the post, the script is executed, often without any visible signs of the attack. In more severe cases, such scripts can create new admin accounts or install backdoors, providing the attacker with full control over the WordPress site.

Exploiting the Stored XSS Vulnerability

Exploiting CVE-2024-7132 is relatively straightforward for a contributor with post creation privileges. The attacker first creates a post containing a malicious script, such as the XSS payload <img src=x onerror=alert(1)>. Once this payload is embedded, the attacker then adds a “Post Carousel” block to a new post, which displays content from various posts on the site.

POC:

Firstly, you should create a new Post with this content: &lt;img src=x onerror=alert(1)&gt;. After that you should create a new Post and add here "Post Carousel" block

____

The potential risk of CVE-2024-7132 is substantial, particularly for WordPress sites with multiple contributors or those that rely on plugins like CoBlocks for content creation. The vulnerability allows attackers to bypass security restrictions by leveraging the contributor role to execute harmful scripts, potentially leading to full site compromise.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-7132, WordPress site administrators should immediately update CoBlocks to the latest version, as the developers are expected to release a patch addressing this issue. It is also essential to review and restrict user roles and permissions, particularly for contributors who may not need access to blocks or post types that could introduce vulnerabilities.

Additionally, developers of WordPress plugins like CoBlocks should implement rigorous input sanitization measures to prevent XSS attacks. Website owners can further protect themselves by employing a comprehensive security plugin that monitors for XSS attempts and blocks malicious scripts before they can be executed. Regular security audits of plugins and their interactions with WordPress core functionalities will help identify vulnerabilities early and reduce the risk of exploitation.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7132, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-7132 – CoBlocks – Stored XSS to Admin Account Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *