CVE-2024-9883 uncovers a critical vulnerability in the Pods – Custom Content Types and Fields plugin, a popular WordPress plugin with over 100,000 active installations. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, allowing them to create backdoors and perform admin account takeovers. The vulnerability is due to insufficient sanitization within the “Heading HTML tag” setting of custom content fields.

CVECVE-2024-9883
PluginPods < 3.2.7.1
CriticalHigh
All Time4 469 679
Active installations100 000+
Publicly PublishedSeptember 14, 2024
Last UpdatedSeptember 14, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9883
https://wpscan.com/vulnerability/ea4b277e-ef47-4e38-bd82-c5a54a95372f/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

September 16, 2024Plugin testing and vulnerability detection in the  Pods – Custom Content Types and Fields have been completed
September 16, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 14, 2024Registered CVE-2024-9883

Discovery of the Vulnerability

The vulnerability was identified during security testing, where it was discovered that the “Label” and “Heading HTML tag” fields in custom user pods do not properly sanitize user inputs. This allows attackers to embed harmful JavaScript, which executes whenever an administrator or editor views the affected user profile.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) occurs when web applications fail to properly sanitize user inputs, enabling attackers to inject and execute untrusted code. Stored XSS, as demonstrated in CVE-2024-9883, is particularly dangerous because the malicious code is stored in the database and triggered whenever the affected content is accessed.

In the Pods plugin, this XSS vulnerability enables contributors or editors to insert JavaScript into the custom content settings. When an admin or privileged user accesses the profile, the script executes, leading to potential site compromise. Similar XSS vulnerabilities in WordPress have been exploited to take over sites, steal user data, and install malware.

Exploiting the XSS Vulnerability

To exploit CVE-2024-9883, an attacker with editor-level access would create a new “Users” pod in the Pods plugin and configure a malicious payload as outlined in the PoC. When the payload is stored, the injected script is triggered whenever an admin or editor accesses the affected user profile, allowing the attacker to hijack sessions or escalate privileges.

POC:

Create a new Users pod. Add new field to this pod. Change "Label" to alert(1) and "Field type" to Heading. In Heading Options change "Heading HTML tag" field to script -> Save Settings -> Go to any user profile (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The risks associated with CVE-2024-9883 are significant, especially for high-traffic websites or business sites that handle sensitive data. Exploiting this vulnerability can lead to unauthorized account access, backdoor installation, and potential site manipulation.

In real-world scenarios, attackers could use this vulnerability to install persistent backdoors, hijack admin accounts, or steal sensitive information. Compromised websites could be used for malicious activities such as phishing or malware distribution, leading to financial losses and reputational damage.

Recommendations for Improved Security

To mitigate the risks of CVE-2024-9883, WordPress administrators should update the Pods – Custom Content Types and Fields plugin to the latest version as soon as a patch is available. Developers must ensure that all user inputs, especially in fields like the “Heading HTML tag,” are properly sanitized to prevent the injection of malicious scripts.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9883, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2024-9883 – Pods – Custom Content Types and Fields – Stored XSS to Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *