CVE-2024-4290
📋 TL;DR
The Sailthru Triggermail WordPress plugin through version 1.1 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite installations where unfiltered_html is restricted. The vulnerability affects WordPress sites using this plugin.
💻 Affected Systems
- Sailthru Triggermail WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Malicious admin or compromised admin account injects scripts that affect other users, potentially stealing credentials or performing unauthorized actions.
If Mitigated
With proper access controls and admin account security, the risk is limited to trusted administrators who would not exploit the vulnerability.
🎯 Exploit Status
Exploitation requires admin access. The vulnerability is in plugin settings that lack proper input sanitization and output escaping.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2 or later
Vendor Advisory: https://wpscan.com/vulnerability/a9a10d0f-d8f2-4f3e-92bf-94fc08416d87/
Restart Required: No
Instructions:
1. Update the Sailthru Triggermail plugin to version 1.2 or later via WordPress admin dashboard. 2. Navigate to Plugins > Installed Plugins. 3. Find Sailthru Triggermail and click 'Update Now'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Sailthru Triggermail plugin until patched
wp plugin deactivate sailthru-triggermail
Remove Plugin
allCompletely remove the vulnerable plugin
wp plugin delete sailthru-triggermail
🧯 If You Can't Patch
- Restrict admin access to only trusted personnel and implement strong authentication
- Implement web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin dashboard > Plugins > Installed Plugins for Sailthru Triggermail version 1.1 or earlierCheck Version:
wp plugin get sailthru-triggermail --field=versionVerify Fix Applied:
Verify plugin version is 1.2 or later in WordPress admin dashboard📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying plugin settings
- JavaScript injection patterns in plugin configuration
Network Indicators:
- Suspicious JavaScript payloads in HTTP requests to plugin endpoints
SIEM Query:
source="wordpress" AND (plugin="sailthru-triggermail" OR uri="/wp-admin/admin.php?page=sailthru-triggermail") AND (method="POST" OR method="PUT")