CVE-2024-13659
📋 TL;DR
The Listamester WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Listamester plugin versions up to 2.3.4 are affected.
💻 Affected Systems
- WordPress Listamester plugin
📦 What is this software?
Listamester by Listamester
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially escalating privileges.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only trusted users can modify content.
🎯 Exploit Status
Exploitation requires authenticated access (contributor or higher). The vulnerability is in the 'listamester' shortcode attribute handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/listamester/trunk/includes/class-listamester.php#L105
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Listamester plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Listamester plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate listamester
Restrict user permissions
allRemove contributor-level access from untrusted users
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Regularly audit user accounts and remove unnecessary contributor-level permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Listamester version. If version is 2.3.4 or lower, system is vulnerable.Check Version:
wp plugin get listamester --field=versionVerify Fix Applied:
After updating, verify Listamester plugin version is 2.3.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with listamester parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests containing suspicious script tags in listamester shortcode attributes
SIEM Query:
source="wordpress.log" AND ("listamester" AND ("script" OR "onerror" OR "javascript:"))🔗 References
- https://plugins.trac.wordpress.org/browser/listamester/trunk/includes/class-listamester.php#L105
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3225538%40listamester&new=3225538%40listamester&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/68b4358d-d4b4-415b-a19f-e58b155ceac9?source=cve
