CVE-2024-13563
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the Front End Users plugin's forgot-password shortcode. When other users visit pages containing these injected scripts, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All WordPress sites using Front End Users plugin versions up to 3.2.30 are affected.
💻 Affected Systems
- Front End Users WordPress Plugin
📦 What is this software?
Front End Users by Etoilewebdesign
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, perform actions as authenticated users, or display phishing content to visitors.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only legitimate password reset functionality is available.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.31
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3240349/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Front End Users' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.2.31+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Front End Users Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate front-end-only-users
Restrict Contributor Access
linuxTemporarily remove contributor-level access from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Remove the [feup_forgot_password] shortcode from all pages/posts where it appears
- Implement web application firewall (WAF) rules to block XSS payloads in plugin parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Front End Users plugin version 3.2.30 or lowerCheck Version:
wp plugin list --name=front-end-only-users --field=versionVerify Fix Applied:
Verify plugin version is 3.2.31 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress pages containing [feup_forgot_password] shortcode with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests with malicious script payloads in 'redirect' or other parameters to pages using the forgot-password shortcode
SIEM Query:
source="wordpress.log" AND ("[feup_forgot_password]" AND ("<script" OR "javascript:" OR "onerror="))🔗 References
- https://plugins.trac.wordpress.org/browser/front-end-only-users/trunk/Shortcodes/Insert_Forgot_Password.php#L61
- https://plugins.trac.wordpress.org/changeset/3240349/
- https://wordpress.org/plugins/front-end-only-users
- https://www.wordfence.com/threat-intel/vulnerabilities/id/51f3497f-c599-4d47-bd5a-94e1679a0025?source=cve
