CVE-2024-9021 An XSS vulnerability found recently in the Relevanssi plugin, which is one of the most popular WordPress plugins, extends the standard WordPress search feature by adding powerful customization options and increasing search relevance. However, the recent discovery of a stored XSS vulnerability in Relevanssi version 4.23.1 and below has raised concerns about the security of the website. This vulnerability may allow developers to inject malicious scripts, which will lead to serious consequences for site administrators.
| CVE | CVE-2024-9021 |
| Plugin | Relevanssi – A Better Search < 4.23.1 |
| Critical | High |
| All Time | 6 740 152 |
| Active installations | 100 000+ |
| Publicly Published | September 17, 2024 |
| Last Updated | September 17, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9021/ https://wpscan.com/vulnerability/5f25646d-b80b-40b1-bcaf-3b860ddc4059/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 17, 2024 | Plugin testing and vulnerability detection in the Relevanssi plugin have been completed |
| September 17, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 27, 2024 | Registered CVE-2024-9021 |
Discovery of the Vulnerability
The vulnerability was identified in Relevanssi < 4.23.1, where users with Contributor-level access could exploit improper input sanitization to perform Stored XSS attacks. The issue lies in the handling of custom fields, where a malicious script can be inserted and later executed by an unsuspecting administrator. This vulnerability allows attackers to bypass security controls and potentially gain unauthorized access to the site, creating backdoors or hijacking admin sessions.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when untrusted input is injected into a web page and executed by the browser. Stored XSS is particularly dangerous because the malicious payload is permanently stored on the server, often in a database, and executed each time the infected content is loaded. WordPress plugins like Relevanssi, which provide extensive customization through user-generated content, are common targets for XSS attacks.
Real-world examples of XSS attacks in WordPress often involve inserting scripts into forms, post metadata, or widget fields. In the case of Envira Gallery, the attack vector is the image “Title” field, where the malicious JavaScript is stored and triggered when a privileged user interacts with the image in the gallery. This kind of attack can lead to severe consequences, such as account hijacking or site defacement.
Exploiting the XSS Vulnerability
To exploit this vulnerability, an attacker would follow these steps:
POC:
- Log in to the WordPress site using a Contributor-level account.
- Create a new post and navigate to the post options by clicking on the three dots in the top-right corner.
- Enable Advanced Custom Fields in the General column.
- Enter the malicious payload in the Name parameter of the custom fields.
- Save the post.
- When the administrator accesses the Relevanssi plugin settings and enters the Indexing panel, they will click the “List custom fields” button, which triggers the stored XSS payload. At this point, the malicious script is executed in the admin’s session.
PoC payload: "><script></script><img src=x onerror=alert(/XSS/)>____
The result? The attacker gains control over the admin’s account, enabling them to escalate their privileges, install backdoors, or hijack sensitive data.
Recommendations for Improved Security
To mitigate this vulnerability, it is crucial to update the Relevanssi plugin to version 4.23.1 or higher, where the issue has been patched. Here are some additional recommendations for enhancing WordPress site security:
- Input Validation and Sanitization: Always validate and sanitize user inputs, especially for roles with lower privileges like Contributors and Authors. This can prevent malicious scripts from being saved in custom fields.
- Here is a guide how to sanitize your code against XSS.
- Limit Access: Restrict Contributor-level accounts to only trusted users, and limit their ability to access custom fields or any sensitive areas of the site.
- Security Audits: Regularly audit your WordPress plugins and themes for vulnerabilities, and keep them up to date with the latest security patches.
- Web Application Firewalls (WAF): Use a WAF to detect and block malicious scripts before they can exploit vulnerabilities on your site.
- Monitoring: Set up monitoring and alert systems to notify you of unusual activities, such as changes to custom fields or unauthorized access to the admin panel.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9021, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
