CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.

CVECVE-2024-7133
PluginMy Sticky Bar < 2.7.3
CriticalHigh
All Time3 163 609
Active installations100 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7133
https://wpscan.com/vulnerability/c81c1622-33d1-41f2-ba63-f06bd4c125ab/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 25, 2024Plugin testing and vulnerability detection in the My Sticky Bar have been completed
June 25, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-7133

Discovery of the Vulnerability

During testing, security researchers discovered that the plugin does not properly sanitize inputs in the “Font size” field when creating a new sticky bar. This vulnerability allows attackers with editor-level permissions to insert malicious JavaScript. By exploiting this flaw, attackers can execute the code whenever an admin or another privileged user interacts with the sticky bar settings.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a common vulnerability that occurs when user inputs are not properly validated or sanitized. XSS allows attackers to inject malicious code into web pages that other users interact with. In WordPress, plugins are a common vector for XSS attacks due to the wide range of functionalities they add, and the My Sticky Bar plugin is no exception.

Stored XSS attacks, such as CVE-2024-7133, occur when malicious code is saved on the website’s backend and executed whenever a user with the appropriate privileges views or interacts with the compromised data. This is particularly dangerous because the attacker can maintain persistent control over the site, steal session cookies, or manipulate site settings without the admin’s knowledge.

In this case, the XSS vulnerability is present in the “Font size” field of the My Sticky Bar plugin, which allows the attacker to insert a harmful script. When the sticky bar is displayed or edited by an admin, the malicious code is executed. Past XSS vulnerabilities in WordPress have been used for a wide range of attacks, including site defacement, session hijacking, and even data theft.

Exploiting the XSS Vulnerability

To exploit CVE-2024-7133, an attacker with editor-level access can create a new sticky bar using the My Sticky Bar plugin. By injecting a payload such as 1123"dshf=+"";shfd="\";</style><img+src=x+onerror=alert(1)> into the “Font size” field, the attacker stores the malicious script within the plugin’s settings. Once the settings are saved, the script is triggered when an admin views or interacts with the bar, allowing the attacker to execute unauthorized commands.

POC:

You should click on "My Sticky Bar" and create "New Bar". Change mysticky_option_welcomebar%5Bmysticky_welcomebar_fontsize%5D field to 1123"dshf=+"";shfd="\";</style><img+src=x+onerror=alert(1)> -> Save Settings

____

The risk posed by CVE-2024-7133 is significant, particularly for sites using the My Sticky Bar plugin to engage with users or highlight important content. A successful attack could result in complete control of the website, allowing the attacker to deface the site, steal sensitive information, or redirect users to malicious websites.

In real-world scenarios, attackers could exploit this vulnerability to install persistent backdoors that give them ongoing access to the site. This could be particularly damaging for businesses that rely on their WordPress site for customer engagement, e-commerce, or lead generation. By maintaining control, attackers could monitor user activity, steal credentials, or manipulate site content for malicious purposes.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-7133, it is essential that WordPress administrators update the My Sticky Bar plugin to the latest version as soon as a patch is available. Plugin developers must implement input sanitization to prevent malicious scripts from being injected into fields like the “Font size” setting.

Administrators should also review user permissions and limit the ability for editors to inject unfiltered HTML or JavaScript into the site. Using security plugins to monitor for suspicious activity or block XSS attempts can provide an additional layer of protection. It is also advisable to regularly audit plugin settings and code to detect vulnerabilities before they can be exploited.

Finally, implementing a web application firewall (WAF) can help block malicious requests before they reach the server, preventing XSS and other web-based attacks from taking place.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7133, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-7133 – My Sticky Bar (myStickymenu) – Stored XSS to JS Backdoor Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *