CVE-2024-34553
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into web pages generated by the Stockholm Core WordPress plugin. When users visit a specially crafted URL, the script executes in their browser, potentially stealing cookies, session tokens, or performing actions on their behalf. All WordPress sites using vulnerable versions of Stockholm Core are affected.
💻 Affected Systems
- Select-Themes Stockholm Core WordPress Plugin
📦 What is this software?
Stockholm Core by Select Themes
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the WordPress site, install backdoors, deface the site, or steal sensitive user data.
Likely Case
Attackers steal user session cookies, perform actions on behalf of users, or redirect users to malicious sites.
If Mitigated
Limited impact due to Content Security Policy (CSP) headers, input validation, or output encoding preventing script execution.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but is straightforward to exploit once the vulnerable parameter is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Stockholm Core' and click 'Update Now' if available. 4. Alternatively, download version 2.4.2+ from WordPress.org and manually update via FTP.
🔧 Temporary Workarounds
Implement Web Application Firewall (WAF)
allConfigure WAF rules to block XSS payloads in URL parameters.
Add Content Security Policy (CSP)
allImplement CSP headers to restrict script execution sources.
Header set Content-Security-Policy "default-src 'self'; script-src 'self'" in .htaccess (Apache) or equivalent for other servers
🧯 If You Can't Patch
- Disable the Stockholm Core plugin if not essential
- Restrict access to the WordPress admin panel to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Stockholm Core version. If version is 2.4.1 or lower, the site is vulnerable.Check Version:
wp plugin list --name=stockholm-core --field=version (if WP-CLI is installed)Verify Fix Applied:
Confirm Stockholm Core version is 2.4.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests with script tags or JavaScript in URL parameters
- Multiple 404 errors for similar malicious URLs
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS payloads in query strings
SIEM Query:
source="web_server_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*%3Cscript%3E*")🔗 References
- https://patchstack.com/database/vulnerability/stockholm-core/wordpress-stockholm-core-plugin-2-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/stockholm-core/wordpress-stockholm-core-plugin-2-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
