CVE-2024-11327
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress pages using the ClickWhale plugin. Attackers can trick users into clicking specially crafted links, potentially stealing session cookies or redirecting to malicious sites. All WordPress sites using ClickWhale plugin versions up to 2.4.1 are affected.
💻 Affected Systems
- ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages WordPress plugin
📦 What is this software?
Clickwhale by Flowdee
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, or redirect users to phishing/malware sites.
Likely Case
Attackers steal user session cookies, perform actions as authenticated users, or redirect to malicious content.
If Mitigated
Script execution blocked by CSP headers or browser XSS filters, limiting impact to failed exploitation attempts.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but technical complexity is minimal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3219341%40clickwhale&new=3219341%40clickwhale&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ClickWhale plugin. 4. Click 'Update Now' if update available. 5. If no update available, manually download version 2.4.2+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable ClickWhale Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate clickwhale
Implement Content Security Policy
allAdd CSP headers to block inline script execution.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Remove ClickWhale plugin entirely and use alternative link management solutions.
- Implement web application firewall (WAF) rules to block XSS payloads in query parameters.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ClickWhale version. If version is 2.4.1 or lower, system is vulnerable.Check Version:
wp plugin get clickwhale --field=versionVerify Fix Applied:
Verify ClickWhale plugin version is 2.4.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual query parameters containing script tags in WordPress admin URLs
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests with suspicious query parameters containing JavaScript payloads
SIEM Query:
source="web_server" AND (url="*<script*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")🔗 References
- https://plugins.trac.wordpress.org/browser/clickwhale/tags/2.3.0/includes/admin/links/Clickwhale_Links_List_Table.php#L384
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3219341%40clickwhale&new=3219341%40clickwhale&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/96c5836f-6d33-4a56-b30b-5e5d95b81b6b?source=cve
