CVE-2024-35655 – This stored XSS vulnerability in the Brave Popu... (How to Fix)

Q: What is the severity of CVE-2024-35655?

CVE-2024-35655 has a CVSS score of 5.9 (MEDIUM). This stored XSS vulnerability in the Brave Popup Builder WordPress plugin allows attackers to inject malicious scripts into web pages. When users view pages containing the malicious content, their browsers execute the scripts, potentially compromising their sessions or stealing sensitive data. All WordPress sites using Brave Popup Builder versions up to 0.6.9 are affected.

📋 TL;DR

This stored XSS vulnerability in the Brave Popup Builder WordPress plugin allows attackers to inject malicious scripts into web pages. When users view pages containing the malicious content, their browsers execute the scripts, potentially compromising their sessions or stealing sensitive data. All WordPress sites using Brave Popup Builder versions up to 0.6.9 are affected.

💻 Affected Systems

Products:

Brave Popup Builder (WordPress plugin)

Versions: n/a through 0.6.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: This affects WordPress installations with the Brave Popup Builder plugin enabled. The vulnerability exists in the plugin's input handling during web page generation.

📦 What is this software?

Brave by Getbrave

View all CVEs affecting Brave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over WordPress sites, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.

🟠

Likely Case

Attackers inject malicious JavaScript that steals user session cookies or credentials, allowing them to impersonate users or administrators with limited privileges.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching users, preventing any exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

The vulnerability requires some level of access to inject malicious content, but once injected, exploitation is straightforward. Public proof-of-concept details are available through security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.10 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/brave-popup-builder/wordpress-brave-interactive-content-plugin-0-6-8-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Brave Popup Builder. 4. Click 'Update Now' if available. 5. Alternatively, download version 0.6.10+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Brave Popup Builder plugin until patched

wp plugin deactivate brave-popup-builder

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Restrict plugin access to trusted users only and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Brave Popup Builder for version number. If version is 0.6.9 or lower, you are vulnerable.

Check Version:

wp plugin get brave-popup-builder --field=version

Verify Fix Applied:

After updating, verify plugin version shows 0.6.10 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin endpoints containing script tags or JavaScript
Multiple failed login attempts followed by plugin configuration changes

Network Indicators:

Outbound connections to suspicious domains from your WordPress server
Unexpected JavaScript payloads in HTTP responses

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "brave-popup") AND (http_method="POST" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2024-35655

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: June 4, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35655, you might also want to check these: