CVE-2024-13115
📋 TL;DR
This vulnerability in the WP Projects Portfolio with Client Testimonials WordPress plugin allows attackers to trick logged-in administrators into executing Cross-Site Scripting (XSS) attacks via Cross-Site Request Forgery (CSRF). Attackers can inject malicious scripts that persist in the website, potentially compromising visitor data and site integrity. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP Projects Portfolio with Client Testimonials WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the WordPress site, steal sensitive data from visitors, deface the website, or install backdoors for persistent access.
Likely Case
Attackers inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or displays unwanted content to visitors.
If Mitigated
With proper CSRF protection and input validation, the attack would fail, preventing unauthorized script injection.
🎯 Exploit Status
Exploitation requires social engineering to trick an admin, but the technical execution is straightforward once the admin is targeted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.1 or later
Vendor Advisory: https://wpscan.com/vulnerability/76e46727-3995-4442-bbcb-04e793d72108/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Projects Portfolio with Client Testimonials'. 4. Click 'Update Now' if available, or manually update to version 3.1+. 5. Verify the plugin is updated to a patched version.
🔧 Temporary Workarounds
Disable the vulnerable plugin
allTemporarily deactivate the plugin until it can be updated to a secure version.
wp plugin deactivate wp-projects-portfolio-with-client-testimonials
Implement CSRF protection headers
linuxAdd security headers to WordPress to help mitigate CSRF attacks.
Add to .htaccess: Header set X-Frame-Options "SAMEORIGIN"
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'"
Add to wp-config.php: define('FORCE_SSL_ADMIN', true);
🧯 If You Can't Patch
- Remove the plugin entirely if no update is available.
- Restrict admin access to trusted networks only and enforce strong authentication.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 3.0 or lower, it is vulnerable.Check Version:
wp plugin get wp-projects-portfolio-with-client-testimonials --field=versionVerify Fix Applied:
Confirm the plugin version is 3.1 or higher after updating.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php or plugin-specific endpoints from unexpected IPs.
- Administrative actions (like adding content) from IPs not associated with known admins.
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests to plugin endpoints.
- CSRF token missing in requests that should have them.
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "wp-projects-portfolio") AND (http_method="POST" AND (referer NOT CONTAINS own_domain OR user_agent="malicious"))