CVE-2024-10472
📋 TL;DR
This vulnerability in the Stylish Price List WordPress plugin allows high-privilege users (like contributors) to inject malicious scripts into plugin settings. The stored XSS payload executes when other users view affected pages, even when unfiltered_html is disabled. WordPress multisite installations are particularly vulnerable.
💻 Affected Systems
- WordPress Stylish Price List plugin
📦 What is this software?
Stylish Price List by Stylishpricelist
⚠️ Risk & Real-World Impact
Worst Case
Attackers with contributor access could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors through stored XSS payloads.
Likely Case
Malicious contributors or compromised accounts inject tracking scripts, adware, or credential harvesting forms that affect all site visitors.
If Mitigated
With proper user access controls and regular plugin updates, impact is limited to minor content manipulation by trusted users.
🎯 Exploit Status
Exploitation requires contributor-level access or higher. The vulnerability is publicly documented with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.12
Vendor Advisory: https://wpscan.com/vulnerability/d79e5c05-26d0-4223-891f-42ac9fb6ef6e/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Stylish Price List' and click 'Update Now'. 4. Verify version shows 7.1.12 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patching is possible
wp plugin deactivate stylish-price-list
Restrict User Roles
allTemporarily remove contributor access or limit plugin settings permissions
🧯 If You Can't Patch
- Implement strict user access controls - limit contributor accounts to trusted users only
- Enable WordPress security plugins with XSS protection features
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 7.1.12, system is vulnerable.Check Version:
wp plugin get stylish-price-list --field=versionVerify Fix Applied:
Confirm plugin version shows 7.1.12 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual plugin setting modifications by contributor users
- Multiple failed login attempts followed by plugin configuration changes
Network Indicators:
- External script loads from unexpected domains on price list pages
- Unusual outbound connections from WordPress admin sessions
SIEM Query:
source="wordpress" AND (event="plugin_edit" OR event="option_update") AND user_role="contributor" AND plugin="stylish-price-list"