Login Sign Up

CVE-2024-2088

8.5 HIGH

📋 TL;DR

The NextScripts Social Networks Auto-Poster WordPress plugin has an information disclosure vulnerability that allows authenticated users with subscriber-level access or higher to extract sensitive API keys and secrets for social networks. This affects all versions up to and including 4.4.3. Attackers could use these credentials to post unauthorized content or access connected social media accounts.

💻 Affected Systems

Products:
  • NextScripts: Social Networks Auto-Poster WordPress plugin
Versions: All versions up to and including 4.4.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled and at least one subscriber-level user account.

📦 What is this software?

Social Networks Auto Poster by Nextscripts

View all CVEs affecting Social Networks Auto Poster →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of connected social media accounts, post malicious content, steal private data, and potentially pivot to compromise other systems using exposed credentials.

🟠

Likely Case

Attackers extract API keys and secrets to post spam or phishing content from legitimate accounts, damaging reputation and potentially leading to account suspension.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to temporary account misuse that can be quickly detected and revoked.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but only at subscriber level, which is trivial to obtain on many WordPress sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.4

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3084635/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php?contextall=1

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'NextScripts: Social Networks Auto-Poster'. 4. Click 'Update Now' if available, or download version 4.4.4+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable function via code modification

all

Temporarily disable the nxs_getExpSettings function until patching is possible

Edit wp-content/plugins/social-networks-auto-poster-facebook-twitter-g/inc/nxs_functions_wp.php and comment out or remove the vulnerable function

Restrict user registration

all

Prevent new subscriber accounts from being created

Set 'Anyone can register' to false in WordPress Settings > General

🧯 If You Can't Patch

  • Immediately rotate all social media API keys and secrets stored in the plugin
  • Temporarily deactivate the plugin and remove all user accounts with subscriber or higher privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'NextScripts: Social Networks Auto-Poster' version 4.4.3 or lower

Check Version:

wp plugin list --name='social-networks-auto-poster-facebook-twitter-g' --field=version

Verify Fix Applied:

Confirm plugin version is 4.4.4 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual API calls to social networks from unexpected IPs
  • Multiple failed authentication attempts followed by successful subscriber login
  • Unusual POST requests to WordPress admin-ajax.php with nxs_getExpSettings parameter

Network Indicators:

  • Outbound connections to social media APIs from WordPress server at unusual times
  • Traffic patterns suggesting credential harvesting

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "nxs_getExpSettings")

📊 Metadata

CVE ID: CVE-2024-2088
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Published: May 22, 2024
Last Updated: February 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON