CVE-2024-8187 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Smart Post Show plugin, a popular WordPress plugin with over 30,000 installations. This vulnerability allows attackers with editor-level access to inject malicious JavaScript (JS) into the plugin’s settings. If exploited, the vulnerability enables account takeover, backdoor creation, and long-term control over the WordPress site. The issue stems from improper input validation, particularly in the post grid settings.
| CVE | CVE-2024-8187 |
| Plugin | Smart Post Show <= 3.0.0 |
| Critical | High |
| All Time | 556 313 |
| Active installations | 30 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8187 https://wpscan.com/vulnerability/0e51b3b5-f003-4af9-8538-95f266065e36/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| Jule 17, 2024 | Plugin testing and vulnerability detection in the Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More have been completed |
| July 17, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8187 |
Discovery of the Vulnerability
The vulnerability was discovered during security testing, where it was found that the plugin’s “Post Grid” creation process is susceptible to XSS attacks. The flaw exists in the “sp_pcp_view_options%5Bpcp_pagination_color_set%5D%5Bpcp_pagination_color%5D%5Bcolor%5D” field, which does not properly sanitize user input, allowing the insertion of harmful scripts.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) occurs when user input is not properly sanitized, allowing attackers to inject malicious scripts into web pages. In WordPress, XSS vulnerabilities are particularly dangerous as they can be used to manipulate site content, steal data, or gain unauthorized access to admin accounts.
In the case of CVE-2024-8187, the vulnerability lies in the post grid settings, where contributors or editors can embed malicious JavaScript. When the grid is viewed by an admin or another user with higher privileges, the script is executed, leading to potential account hijacking or further malicious actions. Similar XSS vulnerabilities in WordPress plugins have resulted in data theft, site defacement, or the creation of persistent backdoors for long-term access.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-8187 requires an attacker with editor-level access to create a new post grid using the Smart Post Show plugin. By injecting a script like 123" onmouseover=alert(1)// into the pagination color field (sp_pcp_view_options%5Bpcp_pagination_color_set%5D%5Bpcp_pagination_color%5D%5Bcolor%5D), the attacker stores the malicious payload in the plugin’s settings.
POC:
You should go to creation of new Post Grid. Change "sp_pcp_view_options%5Bpcp_pagination_color_set%5D%5Bpcp_pagination_color%5D%5Bcolor%5D" field to (123" onmouseover=alert(1)//) -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-8187 are severe. A successful exploit could allow attackers to hijack admin accounts, create unauthorized admin users, or inject further malicious code into the site. The creation of persistent backdoors could give attackers long-term access to the site, allowing them to manipulate content, steal sensitive data, or even use the compromised site to launch attacks on other websites.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-8187, WordPress administrators should update the Smart Post Show plugin to the latest version once a patch is released. Plugin developers must implement proper input sanitization, ensuring that fields like the pagination color field do not accept unfiltered JavaScript or HTML.
In addition to updating the plugin, site administrators should review user roles and permissions to limit the use of unfiltered HTML or JavaScript by editors or contributors. Installing a security plugin that monitors for XSS attacks and blocks malicious scripts can provide additional protection. Regular security audits of plugins and site configurations are also recommended to detect and fix vulnerabilities before they can be exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8187, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
