CVE-2024-11502
📋 TL;DR
This vulnerability in the Planning Center Online Giving WordPress plugin allows authenticated users with contributor role or higher to inject malicious scripts into pages/posts via unvalidated shortcode attributes. When other users view these pages, the scripts execute in their browsers, enabling stored cross-site scripting attacks. WordPress sites using this plugin through version 1.0.0 are affected.
💻 Affected Systems
- Planning Center Online Giving WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with contributor access could inject malicious scripts that steal administrator session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Malicious contributors inject scripts that display phishing forms, redirect users to malicious sites, or steal session cookies from visitors and other users viewing the compromised pages.
If Mitigated
With proper role-based access controls and input validation, the attack surface is limited to trusted contributors only, reducing the risk of exploitation.
🎯 Exploit Status
Exploitation requires contributor-level access or higher. The vulnerability is straightforward to exploit once an attacker has the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1 or later
Vendor Advisory: https://wpscan.com/vulnerability/d9bea52e-af32-449f-97b6-1dcfb2051bda/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Planning Center Online Giving' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.0.1+ from WordPress repository and replace the plugin files.
🔧 Temporary Workarounds
Remove Contributor Role Access
allTemporarily remove contributor role permissions or disable the plugin until patched.
wp user remove-role <username> contributor
wp plugin deactivate planning-center-online-giving
Implement Content Security Policy
allAdd CSP headers to mitigate XSS impact by restricting script execution sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Disable the Planning Center Online Giving plugin completely
- Implement strict user role management and audit all contributor-level users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Planning Center Online Giving' version 1.0.0 or earlier.Check Version:
wp plugin get planning-center-online-giving --field=versionVerify Fix Applied:
Verify plugin version is 1.0.1 or later in WordPress admin panel > Plugins > Installed Plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor users
- Suspicious script tags in post_content database entries
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected script loads in page responses
SIEM Query:
source="wordpress.log" AND ("shortcode" OR "plugin" OR "contributor") AND ("edit" OR "update" OR "inject")