CVE-2024-13573
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious JavaScript into pages using the Zigaform plugin's shortcode. The injected scripts execute whenever other users view the compromised pages, enabling session hijacking, credential theft, or website defacement. All WordPress sites using vulnerable versions of Zigaform Form Builder Lite are affected.
💻 Affected Systems
- Zigaform - Form Builder Lite WordPress Plugin
📦 What is this software?
Zigaform by Softdiscover
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect visitors to malicious sites, potentially compromising the entire web server and user data.
Likely Case
Malicious contributors or compromised accounts inject scripts to steal user sessions, display fraudulent content, or redirect users to phishing pages, damaging site reputation and user trust.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement of specific pages rather than full site compromise.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is well-documented with public technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Zigaform - Form Builder Lite. 4. Click 'Update Now' if available, or delete and reinstall latest version. 5. Verify version is 7.4.3 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Zigaform plugin until patched
wp plugin deactivate zigaform-form-builder-lite
Restrict User Roles
linuxRemove contributor-level access from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Regularly audit user accounts and remove unnecessary contributor-level permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Zigaform - Form Builder Lite → Version. If version is 7.4.2 or lower, you are vulnerable.Check Version:
wp plugin get zigaform-form-builder-lite --field=versionVerify Fix Applied:
After update, confirm version shows 7.4.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to pages with zgfm_rfvar shortcodes
- Multiple page edits by contributor-level users
Network Indicators:
- External script loads from unexpected domains in page responses
SIEM Query:
source="wordpress.log" AND ("zgfm_rfvar" OR "Zigaform") AND ("POST" OR "update")