Max Buttons is a widely used WordPress plugin that allows users to create customizable buttons for their website. However, a critical vulnerability, CVE-2024-8968, has been identified in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Text color” field when creating a new button, which can be stored and executed when the settings are accessed. The injected script can lead to account takeover and the creation of a backdoor, allowing attackers to gain admin access to the site. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using Max Buttons.
| CVE | CVE-2024-8968 |
| Plugin | MaxButtons < 9.8.1 |
| Critical | High |
| All Time | 4 894 512 |
| Active installations | 100 000+ |
| Publicly Published | November 9, 2024 |
| Last Updated | November 9, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8968 https://wpscan.com/vulnerability/cab4d23e-e857-4b2f-b1ca-fbafd37524e0/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 17, 2024 | Plugin testing and vulnerability detection in the Max Buttons have been completed |
| September 17, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 9, 2024 | Registered CVE-2024-8968 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of Max Buttons. It was found that the plugin does not properly sanitize the input in the “Text color” field when creating a new button. This oversight allows attackers with editor-level access to inject JavaScript code into the field. The malicious code is stored in the WordPress database and executed when the settings page is revisited or when the button is rendered. The flaw arises from improper input sanitization, allowing contributors and editors, who are typically granted lower permissions, to inject JavaScript into plugin settings. This vulnerability could easily be exploited by low-privileged users with access to the plugin’s settings.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common vulnerability in web applications that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can be used for a variety of malicious activities, including stealing sensitive information, hijacking user sessions, and escalating privileges. A notable real-world example of XSS in WordPress was the vulnerability found in the Contact Form 7 plugin, where an attacker could inject scripts into form fields, allowing for session hijacking. Similarly, CVE-2024-8968 exploits improper sanitization in Max Buttons, allowing malicious JavaScript to be executed when the settings page is accessed or the button is rendered, which could lead to an attacker gaining admin-level access to the site.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8968, an attacker with editor-level access:
POC:
You should go to creation of new Button. Change "Text color" field to 160"+onmouseover=alert(1)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-8968 are high. If successfully exploited, an attacker could hijack the session of an administrator or any other user with elevated privileges. This would allow the attacker to gain full control over the WordPress site, including the ability to modify content, install malicious plugins, and steal user data. In a real-world scenario, an attacker could use the backdoor admin account to perform malicious actions, such as defacing the site, altering user permissions, or stealing sensitive information from users. For websites dealing with sensitive data, such as e-commerce sites or membership platforms, this vulnerability could lead to significant financial loss, data breaches, and reputational damage. Additionally, this vulnerability could be used as part of a broader attack, allowing the attacker to exploit other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-8968, WordPress administrators should immediately update Max Buttons to the latest version as soon as a patch is available. Additionally, administrators should review user roles and restrict editor-level users from accessing sensitive plugin settings such as the “Text color” field. Input fields, especially those affecting dynamic content like button colors, should be properly sanitized to prevent JavaScript injection. Disabling the unfiltered_html capability for non-admin users is essential in preventing script injection. Administrators should also implement Content Security Policies (CSP) to limit the execution of untrusted scripts. Regular security audits and using security plugins to scan for vulnerabilities in WordPress plugins can help protect against such attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8968, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
