CVE-2024-49335
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the Edush Maxim GoogleDrive folder list WordPress plugin allows attackers to inject malicious scripts that become stored XSS. When exploited, this enables attackers to perform actions as authenticated users and execute arbitrary JavaScript in victims' browsers. This affects all WordPress sites using GoogleDrive folder list plugin versions up to and including 2.2.2.
💻 Affected Systems
- Edush Maxim GoogleDrive folder list WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, deface websites, steal sensitive data, or redirect users to malicious sites through stored XSS payloads executed by any visitor.
Likely Case
Attackers inject malicious JavaScript that steals session cookies or performs unauthorized actions on behalf of authenticated users, potentially compromising user accounts.
If Mitigated
With proper CSRF tokens and Content Security Policy (CSP), the attack surface is reduced, though stored XSS payloads might still execute if previously injected.
🎯 Exploit Status
Exploitation requires tricking an authenticated user into visiting a malicious page. The Patchstack reference provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'GoogleDrive folder list' and update to version 2.2.3 or later. 4. If update not available, deactivate and delete the plugin, then reinstall the latest version from WordPress repository.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to plugin forms if custom code modifications are possible.
Apply Content Security Policy (CSP)
allImplement a strict CSP header to mitigate XSS impact by restricting script execution sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or in WordPress: add_filter('wp_headers', 'add_csp_header'); function add_csp_header($headers) { $headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self'"; return $headers; }
🧯 If You Can't Patch
- Disable or remove the GoogleDrive folder list plugin immediately.
- Restrict plugin access to trusted users only and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel: Plugins > Installed Plugins, find 'GoogleDrive folder list' and verify version is 2.2.2 or lower.Check Version:
wp plugin list --name='googledrive-folder-list' --field=version (if WP-CLI installed) or check in WordPress admin UI.Verify Fix Applied:
Confirm plugin version is 2.2.3 or higher in WordPress admin panel after update.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin admin endpoints without referrer headers or CSRF tokens.
- JavaScript payloads in plugin-related database entries or logs.
Network Indicators:
- Requests from unexpected sources to wp-admin/admin-ajax.php or plugin-specific endpoints.
- Outbound connections to malicious domains triggered by injected scripts.
SIEM Query:
source="wordpress.log" AND ("googledrive-folder-list" OR "admin-ajax.php") AND (status=200 OR status=403) AND referrer="-"