CVE-2024-13667
📋 TL;DR
The Uncode WordPress theme has a stored cross-site scripting vulnerability that allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Uncode theme versions up to 2.9.1.6 are affected.
💻 Affected Systems
- Uncode WordPress Theme
📦 What is this software?
Uncode by Undsgn
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect visitors to malicious sites, or deface the website completely.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.
If Mitigated
With proper input validation and output escaping, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.1.7 or later
Vendor Advisory: https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check for Uncode theme updates. 4. Update to version 2.9.1.7 or later. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Input Sanitization Filter
allAdd custom filter to sanitize 'mle-description' parameter input
Add to theme's functions.php: add_filter('pre_update_option_mle-description', 'sanitize_text_field');
Remove Vulnerable Functionality
allDisable or remove the affected media library extension feature
Deactivate any Uncode extensions using mle-description parameter
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Restrict user registration and review existing user accounts for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes > Uncode theme details for version numberCheck Version:
wp theme list --field=name,version --path=/path/to/wordpressVerify Fix Applied:
Verify Uncode theme version is 2.9.1.7 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to theme files with mle-description parameter
- Multiple failed login attempts followed by successful Subscriber-level login
Network Indicators:
- JavaScript payloads in HTTP POST parameters
- Unusual outbound connections after page loads
SIEM Query:
source="wordpress.log" AND ("mle-description" OR "script" OR "alert(")