CVE-2024-13395
📋 TL;DR
The Threepress WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Threepress plugin versions up to 1.7.1 are affected.
💻 Affected Systems
- WordPress Threepress Plugin
📦 What is this software?
Threepress by Kerryoco
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, deface content, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content to visitors.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages without credential theft.
🎯 Exploit Status
Exploitation requires authenticated access (contributor or higher). The vulnerability is in the 'threepress' shortcode attribute handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2
Vendor Advisory: https://plugins.trac.wordpress.org/browser/threepress/tags/1.7.2/threepress.php#L263
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Threepress plugin and click 'Update Now'. 4. Alternatively, download version 1.7.2 from WordPress plugin repository and manually replace the plugin files.
🔧 Temporary Workarounds
Disable Threepress Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate threepress
Restrict User Roles
linuxTemporarily remove contributor-level access from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall rules to block suspicious shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Threepress version. If version is 1.7.1 or lower, you are vulnerable.Check Version:
wp plugin get threepress --field=versionVerify Fix Applied:
After updating, verify Threepress plugin shows version 1.7.2 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with threepress shortcode parameters containing script tags
- Multiple page edits by contributor-level users in short timeframe
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site after page views
SIEM Query:
source="wordpress.log" AND ("threepress" AND ("<script" OR "javascript:" OR "onerror="))