CVE-2024-9883 uncovers a critical vulnerability in the Pods – Custom Content Types and Fields plugin, a popular WordPress plugin with over 100,000 active installations. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, allowing them to create backdoors and perform admin account takeovers. The vulnerability is due to insufficient sanitization within the “Heading HTML tag” setting of custom content fields.
CVE | CVE-2024-9883 |
Plugin | Pods < 3.2.7.1 |
Critical | High |
All Time | 4 469 679 |
Active installations | 100 000+ |
Publicly Published | September 14, 2024 |
Last Updated | September 14, 2024 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9883 https://wpscan.com/vulnerability/ea4b277e-ef47-4e38-bd82-c5a54a95372f/ |
Plugin Security Certification by CleanTalk | |
Logo of the plugin |
Timeline
September 16, 2024 | Plugin testing and vulnerability detection in the Pods – Custom Content Types and Fields have been completed |
September 16, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
September 14, 2024 | Registered CVE-2024-9883 |
Discovery of the Vulnerability
The vulnerability was identified during security testing, where it was discovered that the “Label” and “Heading HTML tag” fields in custom user pods do not properly sanitize user inputs. This allows attackers to embed harmful JavaScript, which executes whenever an administrator or editor views the affected user profile.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) occurs when web applications fail to properly sanitize user inputs, enabling attackers to inject and execute untrusted code. Stored XSS, as demonstrated in CVE-2024-9883, is particularly dangerous because the malicious code is stored in the database and triggered whenever the affected content is accessed.
In the Pods plugin, this XSS vulnerability enables contributors or editors to insert JavaScript into the custom content settings. When an admin or privileged user accesses the profile, the script executes, leading to potential site compromise. Similar XSS vulnerabilities in WordPress have been exploited to take over sites, steal user data, and install malware.
Exploiting the XSS Vulnerability
To exploit CVE-2024-9883, an attacker with editor-level access would create a new “Users” pod in the Pods plugin and configure a malicious payload as outlined in the PoC. When the payload is stored, the injected script is triggered whenever an admin or editor accesses the affected user profile, allowing the attacker to hijack sessions or escalate privileges.
POC:
Create a new Users pod. Add new field to this pod. Change "Label" to alert(1) and "Field type" to Heading. In Heading Options change "Heading HTML tag" field to script -> Save Settings -> Go to any user profile (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
The risks associated with CVE-2024-9883 are significant, especially for high-traffic websites or business sites that handle sensitive data. Exploiting this vulnerability can lead to unauthorized account access, backdoor installation, and potential site manipulation.
In real-world scenarios, attackers could use this vulnerability to install persistent backdoors, hijack admin accounts, or steal sensitive information. Compromised websites could be used for malicious activities such as phishing or malware distribution, leading to financial losses and reputational damage.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-9883, WordPress administrators should update the Pods – Custom Content Types and Fields plugin to the latest version as soon as a patch is available. Developers must ensure that all user inputs, especially in fields like the “Heading HTML tag,” are properly sanitized to prevent the injection of malicious scripts.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9883, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.