During a recent security test, a vulnerability identified as CVE-2024-8983 was discovered in Custom Twitter Feeds, a popular plugin. This vulnerability allows you to embed saved cross-site scripts (XSS) on the site, which can potentially lead to the creation of a backdoor and account hijacking.
| CVE | CVE-2024-8983 |
| Plugin | Custom Twitter Feeds < 2.2.3 |
| Critical | Low |
| All Time | 2 572 501 |
| Active installations | 100 000+ |
| Publicly Published | September 18, 2024 |
| Last Updated | September 18, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8983/ https://wpscan.com/vulnerability/29194dde-8d11-4096-a5ae-1d69c2c5dc33/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 18, 2024 | Plugin testing and vulnerability detection in the Custom Twitter Feeds have been completed |
| September 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 26, 2024 | Registered CVE-2024-8983 |
Discovery of the Vulnerability
The vulnerability was found during routine security assessments of the Custom Twitter Feeds plugin, which allows users to display Twitter feeds directly on their websites. The plugin’s customizable features, such as custom JavaScript options, were found to be vulnerable to stored XSS attacks. The lack of proper sanitization in certain input fields allows attackers to inject malicious scripts that are later executed by unsuspecting users with administrative privileges.
Understanding of XSS attack’s
Stored XSS occurs when malicious scripts are stored on the server and executed in the victim’s browser when the affected page is loaded. In the case of this vulnerability, attackers can inject harmful JavaScript code via the Custom JS input field in the plugin’s settings. Once saved, the script is triggered whenever a page or post utilizing the Twitter feed is accessed, potentially giving the attacker control over the site.
Exploiting the XSS Vulnerability
To exploit the vulnerability in the Custom Twitter Feeds plugin, attackers need access to the plugin’s settings panel. Once there, they can inject a payload into the Custom JS section. For example:
POC:
1. Go to the Twitter Feeds plugin panel 2. Go to settings, to the plugin settings 3. Go to the Feeds section 4. Enter the payload into the Custom JS. PoC: "><script></script><img src=x onerror=alert(/XSS1/)> 5. Go to any Post or Pages. The payload will work on the page.____
After saving the malicious payload, the script will be stored within the website’s code and triggered whenever the Twitter feed is displayed on any post or page. This simple yet dangerous action can allow the attacker to perform actions as the admin or escalate their privileges, eventually taking full control of the site.
In a real-world scenario, an attacker could exploit this vulnerability to inject malware into a giveaway page, redirect users to phishing sites, or steal sensitive user data submitted during the contest. Furthermore, the attacker could create unauthorized admin accounts, allowing them to control the site indefinitely, making detection and remediation more difficult.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2024-8983, it is crucial to implement a few key measures:
Update the Plugin: Ensure you are running the latest version of the Custom Twitter Feeds plugin, as security patches will typically address known vulnerabilities.
Sanitize Input Fields: Developers should ensure that all input fields, especially those that handle custom JavaScript or HTML, are properly sanitized to prevent malicious code injection.
Least Privilege Access: Limit access to plugin settings only to trusted users with the appropriate level of privilege, reducing the chance of exploitation by contributors or lower-level users.
Regular Security Audits: Conduct frequent security audits of your website and plugins to detect vulnerabilities early.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6887, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
