CVE-2024-13901
📋 TL;DR
This vulnerability allows authenticated attackers with administrator-level access to inject malicious scripts into WordPress pages using the Counter Box plugin. The stored XSS executes when users view compromised pages, potentially stealing session cookies or redirecting to malicious sites. Only affects multi-site WordPress installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
📦 What is this software?
Counter Box by Wow Company
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, malware distribution to visitors, and credential harvesting.
Likely Case
Session hijacking of other administrators, defacement of pages, or redirection to phishing sites.
If Mitigated
Limited impact due to requiring admin privileges and specific WordPress configurations.
🎯 Exploit Status
Requires administrator-level access and specific WordPress configuration. DOM-based stored XSS via 'content' parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3247696/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Counter Box' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.0.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable Counter Box plugin until patched
wp plugin deactivate counter-box
Enable unfiltered_html for admins
allEnable unfiltered_html capability for administrator users (makes vulnerability inactive)
add_filter('user_has_cap', function($allcaps) { $allcaps['unfiltered_html'] = true; return $allcaps; });
🧯 If You Can't Patch
- Remove administrator access from untrusted users
- Implement Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Counter Box version. If version ≤2.0.6 and site is multi-site OR unfiltered_html disabled, you're vulnerable.Check Version:
wp plugin get counter-box --field=versionVerify Fix Applied:
Confirm Counter Box plugin version is 2.0.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity modifying Counter Box content
- JavaScript payloads in POST requests to Counter Box endpoints
Network Indicators:
- Suspicious outbound connections from WordPress admin pages
- Unexpected script tags in Counter Box content
SIEM Query:
source="wordpress" AND (plugin="counter-box" AND (method="POST" OR status=200)) AND (content="<script>" OR content="javascript:")