CVE-2024-12302
📋 TL;DR
The Icegram Engage WordPress plugin before version 3.1.32 has a stored cross-site scripting (XSS) vulnerability in campaign settings. This allows authenticated users with author-level permissions or higher to inject malicious scripts that execute when other users view affected pages. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Icegram Engage WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Malicious authors could inject scripts that steal user session data or display unwanted content to visitors, compromising user privacy and site integrity.
If Mitigated
With proper user role management and content security policies, impact is limited to potential defacement or minor data leakage from affected campaign pages.
🎯 Exploit Status
Exploitation requires author-level WordPress credentials. Public proof-of-concept exists in vulnerability databases.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.32
Vendor Advisory: https://wpscan.com/vulnerability/ed860dac-8c4a-482f-8826-31f1a894b6ce/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Icegram Engage plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.1.32+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict author-level access to trusted users only until patch is applied.
Content Security Policy
linuxImplement CSP headers to restrict script execution from unauthorized sources.
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to .htaccess or web server config
🧯 If You Can't Patch
- Disable the Icegram Engage plugin completely
- Implement web application firewall rules to block XSS payloads in campaign parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Icegram Engage → Version number. If version is below 3.1.32, system is vulnerable.Check Version:
wp plugin list --name=icegram-engage --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.1.32 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to campaign settings by author-level users
- JavaScript payloads in POST requests to /wp-admin/admin-ajax.php
Network Indicators:
- Script tags with unusual attributes in campaign-related HTTP responses
- External script loads from campaign content
SIEM Query:
source="wordpress.log" AND ("icegram" OR "campaign") AND ("script" OR "onload" OR "onerror")