CVE-2024-13590
📋 TL;DR
The Ketchup Shortcodes WordPress plugin has a stored XSS vulnerability in its 'spacer' shortcode that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts execute whenever users view the compromised pages, potentially stealing session cookies or redirecting users to malicious sites. All WordPress sites using this plugin up to version 0.1.2 are affected.
💻 Affected Systems
- Ketchup Shortcodes WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the site, or redirect visitors to malware distribution sites.
Likely Case
Attackers with contributor access inject malicious JavaScript to steal user session cookies, potentially compromising user accounts and performing actions on their behalf.
If Mitigated
With proper user role management and content review processes, the impact is limited to potential defacement or minor content manipulation.
🎯 Exploit Status
Exploitation requires authenticated access (contributor role or higher). The vulnerability is publicly documented with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3222176/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ketchup Shortcodes' and click 'Update Now'. 4. Verify the plugin version is 0.1.3 or higher.
🔧 Temporary Workarounds
Disable Ketchup Shortcodes Plugin
allTemporarily deactivate the vulnerable plugin until patching is possible
wp plugin deactivate ketchup-shortcodes
Restrict User Roles
allTemporarily remove contributor-level access from untrusted users
wp user set-role <username> subscriber
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages created by contributors
- Install a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Ketchup Shortcodes version 0.1.2 or lowerCheck Version:
wp plugin get ketchup-shortcodes --field=versionVerify Fix Applied:
Verify plugin version shows 0.1.3 or higher in WordPress admin plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage in post/page edits
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Unexpected JavaScript execution from WordPress pages
- Suspicious outbound connections from WordPress site
SIEM Query:
source="wordpress" AND (event="plugin_update" AND plugin_name="ketchup-shortcodes" AND old_version<="0.1.2") OR (event="post_edit" AND user_role="contributor" AND content CONTAINS "[spacer" AND NOT content CONTAINS "esc_attr")