CVE-2024-5646
📋 TL;DR
The Futurio Extra WordPress plugin has a stored XSS vulnerability in its Advanced Text Block widget. Authenticated attackers with Contributor access or higher can inject malicious scripts that execute when users view compromised pages. This affects all WordPress sites using Futurio Extra plugin versions up to 2.0.5.
💻 Affected Systems
- Futurio Extra WordPress Plugin
📦 What is this software?
Futurio Extra by Futuriowp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or display phishing content to visitors.
If Mitigated
With proper user role management and input validation, impact is limited to potential content defacement within contributor permissions.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once attacker has contributor credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3100491/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Futurio Extra plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.0.6+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Advanced Text Block Widget
allTemporarily disable the vulnerable widget until patching
Navigate to WordPress admin > Elementor > Settings > Advanced > Switch 'Disable Advanced Text Block Widget' to ON
Restrict Contributor Permissions
allTemporarily elevate contributor role requirements or limit contributor accounts
Use WordPress role management plugins to restrict contributor capabilities or temporarily disable contributor accounts
🧯 If You Can't Patch
- Remove or disable the Futurio Extra plugin entirely
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Futurio Extra version. If version is 2.0.5 or lower, system is vulnerable.Check Version:
wp plugin list --name=futurio-extra --field=versionVerify Fix Applied:
After updating, verify Futurio Extra plugin version shows 2.0.6 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'header_size' parameter containing script tags
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Unexpected script tags in page responses containing 'header_size' attribute
- External script loads from contributor-edited pages
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "header_size")🔗 References
- https://plugins.trac.wordpress.org/browser/futurio-extra/tags/2.0.5/inc/elementor/widgets/advanced-text-block.php#L265
- https://plugins.trac.wordpress.org/changeset/3100491/#file1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cbb3bd9b-ac1f-4488-931f-2ba37576df2d?source=cve
- https://plugins.trac.wordpress.org/browser/futurio-extra/tags/2.0.5/inc/elementor/widgets/advanced-text-block.php#L265
- https://plugins.trac.wordpress.org/changeset/3100491/#file1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cbb3bd9b-ac1f-4488-931f-2ba37576df2d?source=cve
