CVE-2024-8284 represents a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the Download Manager plugin, which is used by over 100,000 WordPress installations to manage and protect downloadable files. This flaw allows attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, specifically in the “Login Required Message” field. Exploiting this vulnerability can result in the creation of backdoors, admin account takeover, and long-term control of the WordPress site.
| CVE | CVE-2024-8284 |
| Plugin | Download Manager <= 3.2.98 |
| Critical | High |
| All Time | 8 960 323 |
| Active installations | 100 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8284 https://wpscan.com/vulnerability/93e38b8c-8a2e-4264-b520-ebdbe995d61e/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 30, 2024 | Plugin testing and vulnerability detection in the Download Manager have been completed |
| June 30, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8284 |
Discovery of the Vulnerability
The vulnerability was uncovered during security testing of the Download Manager plugin. It was discovered that the “Login Required Message” field in the main settings fails to sanitize user inputs, enabling attackers to embed harmful JavaScript code. Once saved, the malicious script is executed whenever a user interacts with the plugin’s download interface, potentially leading to admin session hijacking or backdoor creation.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities arise when user inputs are not properly sanitized, allowing attackers to inject malicious scripts into a web page. In WordPress, XSS vulnerabilities can be particularly dangerous because they can lead to session hijacking, privilege escalation, or full site takeover.
Stored XSS, as demonstrated in CVE-2024-8284, is a type of XSS where the injected script is stored in the site’s database and executed whenever the affected component is accessed. This vulnerability in the Download Manager plugin allows attackers to insert JavaScript into the “Login Required Message” field, leading to the execution of malicious code when an administrator or another privileged user interacts with the download settings. This can result in the attacker gaining admin access or inserting persistent backdoors.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8284, an attacker with contributor-level access would create a new download and inject a malicious script, such as:
POC:
You should create a new download. Change "Login Required Message" field in main settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-8284 are significant. A successful exploit can lead to admin account takeover, site defacement, and the installation of persistent backdoors, allowing attackers to maintain long-term access to the site. High-traffic websites or e-commerce platforms using the Download Manager plugin could be particularly vulnerable, as attackers could exploit the site to steal sensitive customer data or manipulate downloadable files to distribute malware.
In real-world scenarios, attackers could use this vulnerability to hijack admin accounts, inject malicious content into downloadable files, or redirect users to phishing sites. The creation of persistent backdoors also enables attackers to retain access to the site long after the initial exploit is discovered and patched.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-8284, WordPress administrators should update the Download Manager plugin to the latest version as soon as a patch is released. Developers must ensure that all user inputs, particularly in fields like the “Login Required Message” field, are properly sanitized to prevent the insertion of malicious JavaScript.
Additionally, site administrators should review and restrict user roles and permissions, limiting the ability of contributors and editors to insert unfiltered HTML or JavaScript. Installing a security plugin that monitors and blocks XSS attacks can provide an additional layer of protection. Regular audits of plugin settings and configurations should also be conducted to prevent similar vulnerabilities.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8284, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
