CVE-2024-6718
📋 TL;DR
The PVN Auth Popup WordPress plugin through version 1.0.0 has a stored cross-site scripting (XSS) vulnerability in its shortcode attributes. This allows authenticated users with contributor-level permissions or higher to inject malicious scripts into pages/posts, which execute when other users view that content. The vulnerability affects WordPress sites using this specific plugin.
💻 Affected Systems
- PVN Auth Popup WordPress Plugin
📦 What is this software?
Pvn Auth Popup by Freebiesdownload
⚠️ Risk & Real-World Impact
Worst Case
An attacker with contributor access could inject malicious JavaScript that steals administrator session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Malicious contributors or compromised contributor accounts inject tracking scripts, deface content, or steal lower-privileged user session data from vulnerable pages.
If Mitigated
With proper user access controls and content moderation, the impact is limited to potential defacement of specific pages where the shortcode is used.
🎯 Exploit Status
Exploitation requires contributor-level access. The vulnerability is in shortcode attribute handling, making exploitation straightforward for authenticated attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://wpscan.com/vulnerability/7d28ea72-8c3b-4607-b877-7b10d954fef9/
Restart Required: No
Instructions:
1. Remove the PVN Auth Popup plugin completely from your WordPress installation. 2. Verify no residual plugin files remain in wp-content/plugins/. 3. Consider alternative authentication popup plugins with proper security validation.
🔧 Temporary Workarounds
Disable Contributor Content Publishing
allTemporarily restrict contributor users from publishing content until plugin is removed.
Use WordPress role management plugins or custom code to modify contributor capabilities
Content Security Policy (CSP)
allImplement CSP headers to restrict script execution from untrusted sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or use WordPress security plugins to configure CSP
🧯 If You Can't Patch
- Immediately remove the PVN Auth Popup plugin from all WordPress installations.
- Audit all posts/pages for malicious content and review contributor user accounts for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins for 'PVN Auth Popup' plugin. If installed and version is 1.0.0 or earlier, you are vulnerable.Check Version:
WordPress CLI: wp plugin list --name='pvn-auth-popup' --field=versionVerify Fix Applied:
Confirm the PVN Auth Popup plugin is completely removed from wp-content/plugins/ directory and no longer appears in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual content updates by contributor users
- Posts/pages containing [pvn_auth_popup] shortcode with suspicious attribute values
Network Indicators:
- Unexpected JavaScript loading from WordPress posts/pages
- External script calls from content that should be static
SIEM Query:
source="wordpress" AND (event="post_updated" OR event="page_updated") AND user_role="contributor" AND content CONTAINS "[pvn_auth_popup"