CVE-2024-13349
📋 TL;DR
The Stockdio Historical Chart WordPress plugin has a stored XSS vulnerability in all versions up to 2.8.18. Authenticated attackers with contributor-level access or higher can inject malicious scripts via the plugin's shortcode attributes, which execute when users view affected pages. This affects all WordPress sites using vulnerable versions of this plugin.
💻 Affected Systems
- Stockdio Historical Chart WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or redirect visitors to phishing pages.
If Mitigated
With proper user access controls and content sanitization, impact is limited to potential data exposure from compromised contributor accounts.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.19 or later
Vendor Advisory: https://wordpress.org/plugins/stockdio-historical-chart/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Stockdio Historical Chart' and click 'Update Now'. 4. Verify version is 2.8.19 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate stockdio-historical-chart
Restrict User Roles
allLimit contributor-level access to trusted users only
🧯 If You Can't Patch
- Remove contributor role from untrusted users
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Stockdio Historical Chart versionCheck Version:
wp plugin get stockdio-historical-chart --field=versionVerify Fix Applied:
Confirm plugin version is 2.8.19 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with stockdio-historical-chart parameters
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Script tags with unusual attributes in stockdio plugin requests
SIEM Query:
source="wordpress.log" AND "stockdio-historical-chart" AND ("script" OR "onerror" OR "onload")