CVE-2024-5252
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Ultimate Addons for WPBakery plugin. The scripts execute whenever users visit the compromised pages, enabling attackers to steal cookies, redirect users, or perform other malicious actions. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Ultimate Addons for WPBakery (WordPress plugin)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, redirect users to malicious sites, or deploy malware to visitors' browsers.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal user session data or redirect users to phishing pages.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or minor data leakage from affected pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.19.21
Vendor Advisory: https://ultimate.brainstormforce.com/changelog/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Ultimate Addons for WPBakery'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.19.21+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the ultimate_info_table shortcode functionality
Add to theme's functions.php: remove_shortcode('ultimate_info_table');
Restrict user roles
allLimit contributor-level access to trusted users only
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Regularly audit user accounts and remove unnecessary contributor-level access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ultimate Addons for WPBakery → Version. If version is 3.19.20 or lower, you are vulnerable.Check Version:
wp plugin list --name='Ultimate Addons for WPBakery' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.19.21 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/post.php with ultimate_info_table shortcode parameters
- Multiple page edits by contributor-level users in short timeframe
Network Indicators:
- Unexpected script tags in page responses containing ultimate_info_table elements
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/post.php" AND http_method="POST" AND request_body LIKE "%ultimate_info_table%")🔗 References
- https://ultimate.brainstormforce.com/changelog/?utm_source=codecanyon-item-page&utm_campaign=uavc-changelog&utm_medium=changelog
- https://www.wordfence.com/threat-intel/vulnerabilities/id/675937dc-a032-4bc4-a449-c815fcb12db6?source=cve
- https://ultimate.brainstormforce.com/changelog/?utm_source=codecanyon-item-page&utm_campaign=uavc-changelog&utm_medium=changelog
- https://www.wordfence.com/threat-intel/vulnerabilities/id/675937dc-a032-4bc4-a449-c815fcb12db6?source=cve
