CVE-2024-13455
📋 TL;DR
The igumbi Online Booking WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 1.40 are affected.
💻 Affected Systems
- igumbi Online Booking WordPress plugin
📦 What is this software?
Igumbi by Igumbi
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the website, or redirect visitors to malicious sites.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content to visitors.
If Mitigated
With proper user access controls and content security policies, the impact is limited to potential data exposure from the compromised user account.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.40
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'igumbi Online Booking' and click 'Update Now'. 4. Verify the plugin version is above 1.40.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'igumbi_calendar' shortcode from all posts and pages
Search WordPress database for '[igumbi_calendar' in post_content and remove
Implement Content Security Policy
allAdd CSP headers to prevent script execution from untrusted sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or use WordPress security plugins to implement CSP
🧯 If You Can't Patch
- Remove contributor-level access from untrusted users
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for igumbi Online Booking version 1.40 or lowerCheck Version:
wp plugin list --name='igumbi-online-booking' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is above 1.40 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with igumbi_calendar parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from WordPress server
- Unusual JavaScript payloads in HTTP responses
SIEM Query:
source="wordpress.log" AND ("igumbi_calendar" OR "contributor" AND "login")