CVE-2024-4439: WordPress Core Vulnerability to Stored Cross-Site Scripting via User Display Names in Avatar Block

A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the WordPress Core, affecting multiple versions up to 6.5.2. This vulnerability is due to insufficient output escaping on user display names in the Avatar block, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts. These scripts may execute when a user accesses an injected page. Unauthenticated attackers can also exploit this vulnerability if the comment block is present and displays the comment author's avatar.

Code Snippet

The affected code is in the wp-includes/class-wp-walker.php file in the WordPress Core. The issue lies in the improper handling and escaping of the display_name attribute.

// wp-includes/class-wp-walker.php
function args_callback( &$output, $object, $depth = , $args = array(), $current_object_id =  ) {
    $output .= sprintf( $args['format'], $object->{$args['field']}, esc_attr( $object->{$args['field']} ), $object->display_name );
}

References and Original Reports

1. WordPress Core Ticket #57487 - Original report by the WordPress Security Team.
2. CVE-2024-4439 in the CVE List - Official Common Vulnerabilities and Exposures (CVE) entry.

Exploit Details

Authenticated attackers with contributor-level access and above can exploit this vulnerability by changing their display name to include a malicious script. When the Avatar block is loaded on a page with the attacker's display name, the malicious script will execute.

To simulate this attack, an attacker could adjust their display name to include a simple JavaScript alert, such as:

<script>alert('XSS Vulnerability');</script>

Unauthenticated attackers can exploit this vulnerability by submitting a comment with a malicious script in the author field, provided the comment block is present and displays the comment author's avatar.

Mitigation and Prevention

Administrators should take the following steps to protect their WordPress installations against this vulnerability:

Update to the latest version of WordPress to ensure the vulnerability is patched.

2. Restrict user permissions and roles, ensuring only trusted users have access to Contributor-level access or higher.
3. Install security plugins and utilize Content Security Policy (CSP) headers to protect against Cross-Site Scripting attacks.
4. Monitor user activity, particularly user display name changes, to detect and prevent potential exploitation attempts.

Additionally, users are encouraged to report any suspicious behavior or potential vulnerabilities to their website administrators or to the WordPress Security Team.

Timeline

Published on: 05/03/2024 06:15:14 UTC
Last modified on: 07/03/2024 02:07:34 UTC