CVE-2024-13313
📋 TL;DR
The AWeber WordPress plugin through version 7.3.20 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. Only WordPress sites using vulnerable versions of the AWeber plugin are affected.
💻 Affected Systems
- AWeber WordPress Plugin
📦 What is this software?
Aweber by Aweber
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious admin injects scripts that affect other privileged users, potentially leading to privilege escalation or data theft within the WordPress environment.
If Mitigated
With proper user access controls and plugin updates, impact is limited to authorized administrators who would need to intentionally exploit their own access.
🎯 Exploit Status
Exploitation requires admin-level access to WordPress. The vulnerability is in plugin settings that should only be accessible to administrators.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.21 or later
Vendor Advisory: https://wpscan.com/vulnerability/cc35b2f4-f1f1-4ed3-91b2-025bd5848b29/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find AWeber plugin and click 'Update Now'. 4. Alternatively, download latest version from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Remove Admin Access from Untrusted Users
allRestrict admin privileges to only trusted personnel to prevent exploitation.
Disable AWeber Plugin
linuxTemporarily disable the plugin until patched if immediate update is not possible.
wp plugin deactivate aweber
🧯 If You Can't Patch
- Implement strict access controls to limit admin privileges to essential personnel only.
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in plugin settings.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for AWeber version. If version is 7.3.20 or earlier, system is vulnerable.Check Version:
wp plugin list --name=aweber --field=versionVerify Fix Applied:
After update, verify AWeber plugin version shows 7.3.21 or later in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to AWeber plugin settings
- Admin users saving suspicious content in plugin configuration
Network Indicators:
- HTTP requests containing script tags or JavaScript in AWeber plugin parameter values
SIEM Query:
source="wordpress" AND (plugin="aweber" AND action="update") AND (data CONTAINS "<script>" OR data CONTAINS "javascript:")