CVE-2024-11356
📋 TL;DR
The tourmaster WordPress plugin before version 5.3.4 contains a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. This affects all WordPress sites using vulnerable versions of the tourmaster plugin. Attackers can execute arbitrary JavaScript in victims' browsers when they view compromised pages.
💻 Affected Systems
- tourmaster WordPress plugin
📦 What is this software?
Tour Master by Goodlayers
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, take over WordPress admin accounts, install backdoors, deface websites, or redirect visitors to malicious sites.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform phishing attacks, or redirect users to malicious content.
If Mitigated
Limited impact with proper content security policies (CSP) and input validation in place, though XSS payloads could still execute in some contexts.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited. The WPScan reference provides technical details that could be used to create exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.4
Vendor Advisory: https://wpscan.com/vulnerability/d70df54e-e99e-4539-9fd9-002c0642137e/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find tourmaster plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.3.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable tourmaster plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate tourmaster
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in web server settings
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Disable tourmaster plugin functionality or remove it entirely
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for tourmaster version. If version is below 5.3.4, system is vulnerable.Check Version:
wp plugin get tourmaster --field=versionVerify Fix Applied:
Verify tourmaster plugin version is 5.3.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests containing script tags or JavaScript payloads to tourmaster endpoints
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing malicious script payloads in parameters
- Outbound connections to suspicious domains after page loads
SIEM Query:
source="web_logs" AND (uri="*tourmaster*" AND (content="<script>" OR content="javascript:" OR content="onerror=" OR content="onload="))