CVE-2024-10552 - Stored Cross-Site Scripting (XSS) Vulnerability in Flexmls® IDX Plugin for WordPress

The popular Flexmls® IDX Plugin for WordPress has been identified as having a vulnerability to Stored Cross-Site Scripting (XSS) attacks. The vulnerability, assigned as CVE-2024-10552, can be exploited via the 'api_key' and 'api_secret' parameters. This vulnerability affects all plugin versions up to, and including, 3.14.26 due to insufficient input sanitization and output escaping. Authenticated attackers, with Contributor-level access and above, can use this vulnerability to inject arbitrary web scripts that will execute whenever a user accesses an injected page.

Link to CVE
Link to Flexmls® IDX Plugin for WordPress

Exploit Details

A successful exploit requires the attacker to have Contributor-level access or higher on the affected WordPress website. The vulnerability allows the attacker to inject arbitrary web scripts into pages that will be executed when a user accesses the injected pages.

The vulnerability stems from an insufficient input sanitization and output escaping on the 'api_key' and 'api_secret' parameters.

Code Snippet

A demonstration of the incomplete patch in version 3.14.25 highlights the vulnerability. The following example represents a potential exploit utilizing the vulnerable parameters:

POST /wp-admin/admin.php?page=flexmls_connect%2Fflexmls_connect.php HTTP/1.1
Host: <target>
[Request Headers]
Content-Length: 236
Content-Type: application/x-www-form-urlencoded

api_key=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&api_secret=%3Cscript%3Ealert%282%29%3C%2Fscript%3E&action=Update&settings-updated=true

In the above example, the 'api_key' parameter contains an XSS payload <script>alert(1)</script> and the 'api_secret' parameter contains an XSS payload <script>alert(2)</script>.

These payloads will be injected into the resulting page, causing arbitrary JavaScript code to be executed when the page is loaded by users.

Mitigation

The developers of the Flexmls® IDX Plugin have released a partial patch in version 3.14.25. However, this correction is incomplete, and users are urged to update their plugin as soon as a complete patch is released by the developers. To minimize the risk of exploitation, limit access to the plugin settings page to trusted users with appropriate permissions.

Conclusion

CVE-2024-10552 is a critical XSS vulnerability in the Flexmls® IDX Plugin for WordPress that affects versions up to, and including, 3.14.26. The vulnerability enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, leading to potential data theft, unauthorized account access, or other malicious activities. Users are advised to limit access to the plugin settings page and stay vigilant for updates to ensure that their WordPress sites remain secure against exploitation.

Link to WordPress Security Blog
Link to Flexmls® Support Center

Timeline

Published on: 01/25/2025 07:15:07 UTC