CVE-2024-35693 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-35693?

CVE-2024-35693 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to inject malicious scripts into web pages generated by the 12 Step Meeting List WordPress plugin, which could execute in users' browsers. It affects all WordPress sites using this plugin from any version up to 3.14.33. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into web pages generated by the 12 Step Meeting List WordPress plugin, which could execute in users' browsers. It affects all WordPress sites using this plugin from any version up to 3.14.33. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

WordPress 12 Step Meeting List plugin

Versions: n/a through 3.14.33

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

12 Step Meeting List by Code4recovery

View all CVEs affecting 12 Step Meeting List →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, take over the WordPress site, install backdoors, and compromise all user data.

🟠

Likely Case

Attackers steal user session cookies, perform unauthorized actions as logged-in users, or redirect users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails and no malicious scripts execute.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction but is easy to exploit via crafted links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.14.34 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/12-step-meeting-list/wordpress-12-step-meeting-list-plugin-3-14-33-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find '12 Step Meeting List' and click 'Update Now'. 4. Verify version is 3.14.34 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the 12 Step Meeting List plugin until patched.

wp plugin deactivate 12-step-meeting-list

Implement WAF rules

all

Configure web application firewall to block XSS payloads targeting the plugin.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use browser security extensions that block XSS attacks

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > 12 Step Meeting List version. If version is 3.14.33 or lower, you are vulnerable.

Check Version:

wp plugin get 12-step-meeting-list --field=version

Verify Fix Applied:

After updating, verify plugin version shows 3.14.34 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests with script tags or JavaScript payloads
Multiple failed login attempts after suspicious links

Network Indicators:

HTTP requests containing <script> tags or JavaScript in query parameters
Traffic to known malicious domains after plugin access

SIEM Query:

source="web_server" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND uri_path="/wp-content/plugins/12-step-meeting-list/"

📊 Metadata

CVE ID: CVE-2024-35693

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: June 8, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35693, you might also want to check these: