CVE-2024-8239 uncovers a serious Stored Cross-Site Scripting (XSS) vulnerability in the Starbox – The Author Box for Humans plugin, used by over 40,000 WordPress sites to display author profiles and bios. This vulnerability allows contributors to inject malicious JavaScript (JS) into their profile settings, specifically through the “Twitter URL” field, which can lead to admin account creation and backdoor access. If exploited, attackers can hijack the WordPress site’s admin functionality and maintain persistent control.
| CVE | CVE-2024-8239 |
| Plugin | Starbox < 3.5.3 |
| Critical | High |
| All Time | 494 312 |
| Active installations | 40 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8239 https://wpscan.com/vulnerability/02796da0-218d-4cbb-98ca-49eeea83cac5/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| August 26, 2024 | Plugin testing and vulnerability detection in the Starbox – the Author Box for Humans have been completed |
| August 26, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8239 |
Discovery of the Vulnerability
This vulnerability was discovered during a security review of the Starbox plugin. The flaw was found in the user profile section, where insufficient sanitization of the “Twitter URL” field allows contributors to insert JavaScript code. Once saved, the injected script can execute when the admin or another user interacts with the profile or previews recent posts by the author.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities in WordPress occur when user inputs are not properly sanitized, allowing attackers to embed and execute untrusted scripts within a website. Stored XSS, such as in CVE-2024-8239, is particularly dangerous because the malicious script is stored in the database and triggered whenever an admin or editor views the infected content.
In the context of the Starbox plugin, the vulnerability stems from the lack of sanitization in user profile fields, allowing contributors to inject JavaScript. XSS vulnerabilities are commonly exploited in WordPress plugins where input fields are not properly handled. Real-world examples of XSS in WordPress have resulted in account hijacking, site defacement, and data theft.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-8239 requires an attacker to access the profile page, typically with contributor-level permissions. The attacker can then insert malicious JavaScript code into the “Twitter URL” field, such as:
POC:
1) Go to your profile 2) Change Twitter URL field to JS like -> 123" onmouseover=alert(1)// style=display:block;width:100px;height:100px;' 3) Refresh page and check recent posts in preview block 4) Additionaly, you can check XSS with shortcode stabox and id paramert of your user____
The risks associated with CVE-2024-8239 are significant. If exploited, this vulnerability can lead to admin account takeover, allowing the attacker to gain full control over the WordPress site. This could result in the attacker defacing the website, stealing sensitive data, or injecting malware into the site’s content.
In real-world scenarios, attackers could exploit this vulnerability to create persistent backdoors, allowing them to maintain access to the site even after the initial attack is discovered. E-commerce websites and content-heavy platforms are particularly vulnerable, as attackers could steal user data, manipulate content, or redirect visitors to malicious sites.
Recommendations for Improved Security
To protect against CVE-2024-8239, WordPress administrators should immediately update the Starbox plugin to the latest version once a patch is released. Plugin developers must ensure that all user inputs, particularly in profile fields like the “Twitter URL,” are properly sanitized to prevent XSS attacks.
Additionally, site administrators should review and restrict user roles and permissions, limiting the ability of contributors to insert unfiltered HTML or JavaScript. Installing security plugins that monitor for and block XSS attacks can provide an extra layer of defense. Regular security audits of plugins and user profiles should also be conducted to detect vulnerabilities before they are exploited.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8239, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
