CVE-2024-10108
📋 TL;DR
This stored XSS vulnerability in the WPAdverts WordPress plugin allows unauthenticated attackers to inject malicious scripts into website pages via the adverts_add shortcode. When users visit pages containing the injected scripts, the scripts execute in their browsers, potentially stealing session cookies or redirecting to malicious sites. All WordPress sites using WPAdverts plugin versions up to 2.1.6 are affected.
💻 Affected Systems
- WPAdverts - Classifieds Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, install backdoors, deface websites, or redirect visitors to malware distribution sites.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, perform phishing attacks, or redirect users to malicious websites.
If Mitigated
With proper input validation and output escaping, the malicious scripts would be neutralized before reaching users' browsers.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via the shortcode parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3178088/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPAdverts plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.1.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable WPAdverts Plugin
linuxTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate wpadverts
Remove adverts_add Shortcode Usage
allRemove or disable usage of the vulnerable adverts_add shortcode from posts/pages.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to pages using the adverts_add shortcode to authenticated users only.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WPAdverts version. If version is 2.1.6 or lower, you are vulnerable.Check Version:
wp plugin get wpadverts --field=versionVerify Fix Applied:
After updating, verify WPAdverts plugin version shows 2.1.7 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing script tags to pages with adverts_add shortcode
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript execution in browser developer tools
SIEM Query:
source="web_server_logs" AND ("adverts_add" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))