Exploit
CVE-2024-4439
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)
Published: May 3, 2024 / Updated: 6mo ago

010

CVSS 7.2EPSS 0.05%High

CVE info copied to clipboard

Summary

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.

Impact

Successful exploitation could allow attackers to execute malicious scripts in the browser of an unsuspecting user viewing a page on the vulnerable WordPress site. This could lead to stealing sensitive data like session cookies, performing actions on behalf of the victim user, defacing the website, or facilitating further attacks.

Exploitation

Multiple proof-of-concept exploits are available on github.com, github.com, github.com. Its exploitation has been reported by various sources, including vulners.com.

Patch

WordPress has released version 6.5.3 which addresses this vulnerability by properly escaping user display names in the Avatar block.

Mitigation

Update WordPress installations to version 6.5.3 or later to remediate this vulnerability. As a workaround, disable the Avatar block if it is not needed until the update can be applied. Review all user-provided data for proper sanitization and encoding before outputting it.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-4439

May 3, 2024 at 6:15 AM

CVSS

A CVSS base score of 7.2 has been assigned.

May 3, 2024 at 6:20 AM / nvd

First Article

Feedly found the first article mentioning CVE-2024-4439. See article

May 3, 2024 at 6:21 AM / National Vulnerability Database

CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

May 3, 2024 at 6:21 AM

EPSS

EPSS Score was set to: 0.05% (Percentile: 19.3%)

May 3, 2024 at 10:03 AM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (154156)

May 6, 2024 at 7:53 AM

Exploitation in the Wild

Attacks in the wild have been reported by Vulners.com RSS Feed. See article

May 6, 2024 at 12:10 PM / Vulners.com RSS Feed

Threat Intelligence Report

The vulnerability CVE-2024-4439 is a critical WordPress WP Core Plugin vulnerability that allows remote attackers to execute arbitrary code on the affected system. It has a CVSS score of X.X. The vulnerability is actively being exploited in the wild by threat actors, and there are proof-of-concept exploits available. Mitigations, detections, and patches are not yet available, leading to potential downstream impacts on other third-party vendors or technologies that rely on WordPress. See article

May 6, 2024 at 5:23 PM

EPSS

EPSS Score was set to: 0.05% (Percentile: 19.3%)

May 6, 2024 at 9:42 PM