CVE-2024-11199
📋 TL;DR
The Rescue Shortcodes WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 2.9 are affected.
💻 Affected Systems
- Rescue Shortcodes WordPress Plugin
📦 What is this software?
Rescue Shortcodes by Rescuethemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially gaining administrative access.
If Mitigated
With proper user access controls and content filtering, impact is limited to defacement or minor data leakage from affected pages.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.9.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3193428/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Rescue Shortcodes plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.9.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate rescue-shortcodes
Restrict User Roles
linuxRemove contributor-level access from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Rescue Shortcodes version 2.9 or earlierCheck Version:
wp plugin list --name=rescue-shortcodes --field=versionVerify Fix Applied:
Verify plugin version is 2.9.1 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to pages containing rescue_progressbar shortcode
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected script tags in page responses
SIEM Query:
source="wordpress.log" AND ("rescue_progressbar" OR "shortcode-functions.php") AND ("POST" OR "script")🔗 References
- https://plugins.trac.wordpress.org/browser/rescue-shortcodes/tags/2.9/includes/shortcode-functions.php#L379
- https://plugins.trac.wordpress.org/changeset/3193428/
- https://wordpress.org/plugins/rescue-shortcodes/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a188c615-513b-4d65-8351-d70848696297?source=cve
