CVE-2024-8536 presents a serious security risk in the Ultimate Blocks plugin, used by over 70,000 WordPress sites to enhance post content with custom blocks. This vulnerability allows attackers, specifically users with contributor-level access, to inject malicious JavaScript (JS) into a new post using the plugin’s “Expand” block feature. If exploited, this can lead to admin account creation and full site takeover, putting the entire WordPress installation at risk.

CVECVE-2024-8536
PluginUltimate Blocks < 3.2.2
CriticalHigh
All Time 1 457 789
Active installations70 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8536
https://wpscan.com/vulnerability/abd5b6c6-f541-4739-882d-2011436f7a8b/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

August 5, 2024Plugin testing and vulnerability detection in the Ultimate Blocks have been completed
August 5, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-8536

Discovery of the Vulnerability

During a routine security review of the Ultimate Blocks plugin, a vulnerability was found in how the plugin handles user input for the “Expand” block. The flaw allows contributors to embed harmful JavaScript code in the block’s settings without proper sanitization. This injected code executes whenever an admin or another privileged user interacts with the post containing the malicious block, leading to account hijacking or the creation of backdoors.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a well-known security vulnerability that occurs when a web application fails to properly sanitize user input. In WordPress, XSS is especially dangerous as it can allow attackers to inject malicious code into pages, posts, or plugin settings. Stored XSS, such as in CVE-2024-8536, is particularly harmful because the malicious script is stored in the site’s backend and executed when a privileged user views or edits the affected content.

In the context of WordPress plugins like Ultimate Blocks, XSS can be exploited by contributors or editors to escalate privileges. A contributor could inject a script that executes when an admin reviews their post, leading to session hijacking, credential theft, or full site control. Similar vulnerabilities have been exploited in the past to insert hidden admin accounts or install malware on WordPress sites.

Exploiting the XSS Vulnerability

To exploit CVE-2024-8536, an attacker with contributor-level access creates a new post using the Ultimate Blocks plugin’s “Expand” block. By injecting a malicious script into the “clickText” field, the attacker embeds the JavaScript payload directly into the post. When the post is reviewed or viewed by an administrator, the script is executed.

A simple proof-of-concept payload like onmouseover=alert(1) may be used to demonstrate the vulnerability, but more sophisticated attacks could involve creating new admin accounts, stealing session cookies, or redirecting the user to malicious websites. Once the attacker gains admin privileges, they can take control of the site, modify its content, or even introduce backdoors for future access.

POC:

<!-- wp:ub/expand {\"blockID\":\"2c04a443-500a-4bc6-9b94-b33c0ce7b29c\",\"allowScroll\":true,\"scrollOption\":\"fixedamount\",\"scrollOffset\":44} -->\n<!-- wp:ub/expand-portion {\"clickText\":\"show more\",\"displayType\":\"partial\",\"parentID\":\"2c04a443-500a-4bc6-9b94-b33c0ce7b29c\",\"blockID\":\"0309a91e-81df-4953-a3af-fb2f9f6cb0f7\"} /-->\n\n<!-- wp:ub/expand-portion {\"clickText\":\"show lesss\",\"displayType\":\"123\\u0022onmouseover=alert(1)//\",\"parentID\":\"2c04a443-500a-4bc6-9b94-b33c0ce7b29c\",\"blockID\":\"72676c12-2f13-4340-a856-fffc6cac944d\"} /-->\n<!-- /wp:ub/expand -->

____

The risks associated with CVE-2024-8536 are considerable, especially given the widespread use of Ultimate Blocks in content-heavy WordPress sites. If an attacker exploits this vulnerability, they could easily escalate privileges and create unauthorized admin accounts, effectively taking over the site. This could lead to data theft, site defacement, or the installation of malicious software.

In a real-world scenario, an attacker might exploit this vulnerability on a business or e-commerce website to inject hidden backdoors, allowing them to steal sensitive customer information or manipulate site content. The potential for widespread damage is high, particularly for sites that rely on Ultimate Blocks for content management and enhancement.

Recommendations for Improved Security

To protect against CVE-2024-8536, it is essential that WordPress site administrators update the Ultimate Blocks plugin as soon as a patch is released. Plugin developers should implement proper input sanitization for all fields that accept user input, particularly in block attributes like “clickText.”

In addition to updating the plugin, administrators should review the permissions assigned to contributors and other non-admin roles, limiting their ability to insert unfiltered HTML or JavaScript. Using security plugins that monitor for XSS attacks and block suspicious activity can also help prevent exploitation.

Finally, regular security audits of WordPress installations and plugin configurations should be conducted to identify and mitigate vulnerabilities before they can be exploited. Employing a web application firewall (WAF) can provide an extra layer of protection, filtering out malicious scripts before they reach the WordPress environment.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8536, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-8536 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *