CVE-2024-13486
📋 TL;DR
The Icegram Engage WordPress plugin before version 3.1.32 contains a stored cross-site scripting (XSS) vulnerability in plugin settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. Only WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Icegram Engage WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Malicious admin injects tracking scripts or defaces website content visible to other users, damaging reputation and potentially capturing user data.
If Mitigated
With proper access controls limiting admin privileges and regular security audits, impact is minimal as exploitation requires high-privilege access.
🎯 Exploit Status
Exploitation requires administrator-level access to WordPress. No public exploit code has been identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.32
Vendor Advisory: https://wpscan.com/vulnerability/cbba8346-41f6-46ee-89ae-ed9524d768ef/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Icegram Engage plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.1.32+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Icegram Engage plugin until patched
wp plugin deactivate icegram-engage
wp plugin delete icegram-engage
Restrict admin access
allLimit administrator accounts to trusted personnel only and implement multi-factor authentication
🧯 If You Can't Patch
- Implement strict access controls for WordPress admin accounts with multi-factor authentication
- Deploy web application firewall (WAF) rules to block XSS payloads in plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Icegram Engage → Version number. If version is below 3.1.32, system is vulnerable.Check Version:
wp plugin get icegram-engage --field=versionVerify Fix Applied:
Confirm plugin version is 3.1.32 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Icegram Engage plugin settings
- Administrator accounts making unexpected configuration changes
Network Indicators:
- Suspicious JavaScript payloads in HTTP POST requests to wp-admin/admin-ajax.php or plugin settings endpoints
SIEM Query:
source="wordpress.log" AND ("icegram" OR "engage") AND ("update" OR "settings" OR "ajax") AND javascript_patterns