CVE-2021-24487
📋 TL;DR
This vulnerability in the St-Daily-Tip WordPress plugin allows attackers to trick logged-in administrators into saving malicious JavaScript code in the plugin's default text setting. The stored XSS payload then executes whenever the tip is displayed, potentially compromising administrator accounts and site visitors. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- St-Daily-Tip WordPress Plugin
📦 What is this software?
St Daily Tip by Sanskruti
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the WordPress site, install backdoors, steal sensitive data, deface the site, or use it as a platform for further attacks against visitors.
Likely Case
Attackers hijack administrator sessions, steal credentials, inject malicious content, or redirect users to phishing/malware sites.
If Mitigated
With proper CSRF protection and input validation, the attack fails or only affects users with specific privileges.
🎯 Exploit Status
Exploitation requires tricking an administrator into clicking a malicious link while authenticated. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8 or later
Vendor Advisory: https://wpscan.com/vulnerability/def352f8-1bbe-4263-ad1a-1486140269f4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'St-Daily-Tip' and update to version 4.8 or later. 4. If update not available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate st-daily-tip
Remove Plugin Files
linuxCompletely remove the plugin files from the WordPress installation.
rm -rf /path/to/wordpress/wp-content/plugins/st-daily-tip/
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Use web application firewall (WAF) rules to detect and block XSS payloads in plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'St-Daily-Tip' version 4.7 or earlier.Check Version:
wp plugin get st-daily-tip --field=versionVerify Fix Applied:
Confirm plugin version is 4.8 or later in WordPress admin panel or check plugin files for CSRF nonce validation in save settings function.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with action=st_daily_tip_save_settings
- Administrator accounts performing unexpected plugin configuration changes
Network Indicators:
- HTTP requests containing malicious JavaScript in 'default_text' parameter to plugin endpoints
SIEM Query:
source="wordpress.log" AND "st_daily_tip_save_settings" AND ("script" OR "javascript" OR "onload" OR "onerror")