CVE-2024-3276 - Stored Cross-Site Scripting Vulnerability in Lightbox & Modal Popup WordPress Plugin

The Lightbox and Modal Popup WordPress plugin, version 2.7.27 and prior, contains a Stored Cross-Site Scripting (XSS) vulnerability that could pose a significant security risk for website administrators. The vulnerability allows attackers to execute malicious scripts in the context of an admin dashboard, potentially leading to a complete takeover of affected WordPress installations. This vulnerability specifically affects the foobox-image-lightbox-premium WordPress plugin before version 2.7.28 and may impact users with high privilege levels, such as administrators, even when the unfiltered_html capability is disallowed.

Vulnerability Details

Stored XSS vulnerabilities generally arise when user inputs are not properly sanitized and escaped. In the case of CVE-2024-3276, the Lightbox & Modal Popup WordPress plugin does not sanitize and escape some of its settings. A potential attacker with administrator-level privileges can exploit this vulnerability by injecting malicious JavaScript code that may be executed when an unsuspecting user views or interacts with particular elements in the WordPress admin dashboard.

Here's a code snippet demonstrating this vulnerability

// Vulnerable code in Lightbox & Modal Popup WordPress Plugin
function save_ajax_foobox_settings() {
    // ... omitted code ...
    update_option( "foobox-free", json_encode( stripslashes_deep( $_POST['settings'] ) ) );
}

This code snippet updates the plugin's settings directly from the unsanitized $_POST data, which could potentially contain malicious payloads for stored XSS attacks.

To exploit this vulnerability, an attacker with administrative access on the vulnerable WordPress installation would have to perform the following steps:

Navigate to the Lightbox & Modal Popup plugin settings page.

3. Inject malicious JavaScript code into an unsanitized, unescaped setting field (e.g., "><script>alert('XSS')</script>).

Save the plugin's settings.

After malware injection, when another administrator visits the affected page, the malicious JavaScript code will execute within their browser, potentially compromising their account and the overall security of the WordPress installation.

Resolving and Mitigating the Vulnerability

It is crucial to regularly update WordPress plugins to their latest versions. In the case of CVE-2024-3276, users should update the Lightbox & Modal Popup WordPress plugin (and specifically the foobox-image-lightbox-premium plugin) to version 2.7.28 or later.

Here is a direct link to the plugin's changelog, which highlights the security fix in version 2.7.28: https://wordpress.org/plugins/foobox-image-lightbox/#developers

Limiting administrator access to trustworthy users

- Disabling the unfiltered_html capability for non-essential users, particularly on multisite installations

Conclusion

CVE-2024-3276 highlights the importance of proper input sanitization and safe coding practices in web applications. Regularly updating your WordPress plugins, as well as monitoring and reviewing plugin code, are essential steps to maintain the security of your WordPress installation. By addressing this vulnerability and staying vigilant about potential threats, you can ensure a safer online presence.

Timeline

Published on: 06/18/2024 06:15:12 UTC
Last modified on: 07/08/2024 14:19:01 UTC