CVE-2024-12339
📋 TL;DR
The Digihood HTML Sitemap WordPress plugin contains a reflected cross-site scripting vulnerability in the 'channel' parameter that allows unauthenticated attackers to inject malicious scripts. When users click specially crafted links, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using this plugin up to version 3.1.1 are affected.
💻 Affected Systems
- Digihood HTML Sitemap WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access to WordPress, install backdoors, deface websites, or exfiltrate sensitive data.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to phishing sites, or perform limited actions within user permissions.
If Mitigated
With proper web application firewalls and security headers, the attack is blocked or limited to non-sensitive user sessions.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is trivial to weaponize in phishing campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3159288%40wedesin-html-sitemap&new=3159288%40wedesin-html-sitemap
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Digihood HTML Sitemap'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Digihood HTML Sitemap plugin until patched
wp plugin deactivate wedesin-html-sitemap
Web Application Firewall rule
linuxBlock requests containing XSS payloads in the 'channel' parameter
ModSecurity rule: SecRule ARGS:channel "@rx <script" "id:1001,phase:2,deny,status:403,msg:'XSS attempt in channel parameter'"
🧯 If You Can't Patch
- Remove the Digihood HTML Sitemap plugin completely from your WordPress installation
- Implement Content Security Policy headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Digihood HTML Sitemap' version 3.1.1 or earlierCheck Version:
wp plugin get wedesin-html-sitemap --field=versionVerify Fix Applied:
Verify plugin version is 3.1.2 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'channel' parameter containing script tags or JavaScript code
- Unusual referrer URLs with encoded payloads
Network Indicators:
- GET requests with long, encoded 'channel' parameters
- Requests to plugin-specific endpoints with suspicious parameters
SIEM Query:
source="web_logs" AND uri="*channel=*" AND (uri="*<script*" OR uri="*javascript:*" OR uri="*onload=*" OR uri="*onerror=*")🔗 References
- https://plugins.trac.wordpress.org/browser/wedesin-html-sitemap/trunk/plugin-framework/Functions/Logging/html.php#L36
- https://plugins.trac.wordpress.org/browser/wedesin-html-sitemap/trunk/plugin-framework/Functions/Logging/html.php#L64
- https://www.wordfence.com/threat-intel/vulnerabilities/id/862f8743-5c8c-45ee-a2eb-9ae12c2800ca?source=cve
