CVE-2024-12743
📋 TL;DR
This vulnerability in the MailPoet WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites running MailPoet versions before 5.5.2, particularly in multisite configurations where unfiltered_html is restricted.
💻 Affected Systems
- MailPoet WordPress Plugin
📦 What is this software?
Mailpoet by Automattic
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject persistent XSS payloads that steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
Likely Case
Malicious admin injects XSS that affects other administrators or privileged users viewing plugin settings, potentially leading to account compromise or privilege escalation.
If Mitigated
With proper user access controls and regular admin auditing, impact is limited to settings pages only affecting users with plugin access.
🎯 Exploit Status
Exploitation requires admin-level access to WordPress. No public exploit code has been observed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.2
Vendor Advisory: https://wpscan.com/vulnerability/7945f52d-364d-438c-84f2-cf19b4250056/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MailPoet and click 'Update Now'. 4. Verify version shows 5.5.2 or higher.
🔧 Temporary Workarounds
Remove Admin Privileges
allTemporarily restrict admin access to only essential personnel until patch is applied.
Disable MailPoet Plugin
linuxTemporarily deactivate the MailPoet plugin if not critically needed.
wp plugin deactivate mailpoet
🧯 If You Can't Patch
- Implement strict user access controls and audit admin activities regularly
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check MailPoet plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get mailpoet --field=versionVerify Fix Applied:
Confirm MailPoet version is 5.5.2 or higher in plugin details📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying MailPoet settings
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- Suspicious JavaScript in HTTP POST requests to /wp-admin/admin.php?page=mailpoet-*
SIEM Query:
source="wordpress.log" AND ("mailpoet" AND "admin.php") AND ("POST" OR "UPDATE")