CVE-2024-0386 – The weForms WordPress plugin has a stored XSS v... (How to Fix)

Q: What is the severity of CVE-2024-0386?

CVE-2024-0386 has a CVSS score of 7.2 (HIGH). The weForms WordPress plugin has a stored XSS vulnerability in versions up to 1.6.21 where attackers can inject malicious scripts via the 'Referer' HTTP header. These scripts execute when users view affected pages, potentially compromising their browsers. All WordPress sites using vulnerable weForms versions are affected.

📋 TL;DR

The weForms WordPress plugin has a stored XSS vulnerability in versions up to 1.6.21 where attackers can inject malicious scripts via the 'Referer' HTTP header. These scripts execute when users view affected pages, potentially compromising their browsers. All WordPress sites using vulnerable weForms versions are affected.

💻 Affected Systems

Products:

weForms WordPress plugin

Versions: All versions up to and including 1.6.21

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with weForms plugin enabled, regardless of configuration.

📦 What is this software?

Weforms by Weformspro

View all CVEs affecting Weforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal admin credentials, take over WordPress sites, install backdoors, or redirect visitors to malicious sites, leading to complete site compromise and data theft.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, redirect users to phishing pages, or deface website content.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability is prevented, and no script execution occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests with malicious Referer headers to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.22 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047406%40weforms&new=3047406%40weforms&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find weForms and click 'Update Now'. 4. Verify version is 1.6.22 or higher.

🔧 Temporary Workarounds

Disable weForms Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate weforms

WAF Rule for Referer Header

all

Block malicious Referer headers containing script tags.

Add WAF rule: Block HTTP requests where Referer header contains '<script' or 'javascript:'

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
Use web application firewall to filter and sanitize Referer headers before reaching the application.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for weForms version. If version is 1.6.21 or lower, you are vulnerable.

Check Version:

wp plugin get weforms --field=version

Verify Fix Applied:

After updating, verify weForms version shows 1.6.22 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with Referer headers containing script tags, javascript: URIs, or unusual payloads in weForms-related endpoints.

Network Indicators:

Unusual Referer header patterns in HTTP traffic to WordPress sites with weForms.

SIEM Query:

source="web_logs" AND (uri="*weforms*" OR uri="*wp-admin*" OR uri="*wp-json*") AND (referer="*<script*" OR referer="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-0386

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 12, 2024

Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0386, you might also want to check these: