CVE-2024-9674
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary
The Debrandify · Remove or Replace WordPress Branding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions up to and including 1.1.2. This vulnerability is due to insufficient input sanitization and output escaping. It allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Impact
This vulnerability could allow attackers to inject malicious scripts into SVG files uploaded to the WordPress site. When users view these SVG files, the malicious scripts would execute in their browsers. This could lead to various attacks, including: 1. Stealing user session cookies, potentially allowing attackers to impersonate users. 2. Defacing the website by modifying its appearance to visitors. 3. Injecting malicious content or redirects to phishing sites. 4. Performing actions on behalf of the user without their knowledge. 5. Accessing sensitive information available to the user's browser. The impact is somewhat limited as it requires an authenticated user with at least Author-level permissions, and user interaction is required for the attack to be successful.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been fixed in a newer version of the plugin. Users should update to version 1.1.3 or later of the Debrandify plugin to mitigate this vulnerability.
Mitigation
To mitigate this vulnerability, the following steps are recommended: 1. Update the Debrandify plugin to version 1.1.3 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the plugin until it can be updated. 3. Implement strong user access controls and limit the number of users with Author-level permissions or above. 4. Regularly audit user accounts and their permission levels. 5. Implement additional security measures such as Web Application Firewalls (WAF) that can help detect and prevent XSS attacks. 6. Educate users about the risks of accessing untrusted SVG files on the website. 7. Regularly scan and monitor the website for any signs of compromise or suspicious activity. 8. Keep all WordPress core files, themes, and other plugins up to date as well.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Timeline
Feedly found the first article mentioning CVE-2024-9674. See article
Feedly estimated the CVSS score as MEDIUM
NVD published the first details for CVE-2024-9674
A CVSS base score of 6.4 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 22%)
A CVSS base score of 5.4 has been assigned.