CVE-2024-6798 – The DL Verification WordPress plugin through ve... (How to Fix)

Q: What is the severity of CVE-2024-6798?

CVE-2024-6798 has a CVSS score of 4.8 (MEDIUM). The DL Verification WordPress plugin through version 1.2 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is disabled. Only WordPress sites using the vulnerable plugin are affected.

📋 TL;DR

The DL Verification WordPress plugin through version 1.2 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is disabled. Only WordPress sites using the vulnerable plugin are affected.

💻 Affected Systems

Products:

DL Verification WordPress Plugin

Versions: 1.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin-level access to exploit. WordPress multisite installations are specifically mentioned as vulnerable even with unfiltered_html disabled.

📦 What is this software?

Dl Verification by Dyadyalesha

View all CVEs affecting Dl Verification →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to full site compromise.

🟠

Likely Case

Malicious admin injects tracking scripts or defaces the site by modifying content through stored XSS payloads in plugin settings.

🟢

If Mitigated

With proper admin account security and regular monitoring, impact is limited to potential defacement or minor data leakage from the specific plugin settings pages.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges. The vulnerability is in plugin settings that don't properly sanitize input before storage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3 or later

Vendor Advisory: https://wpscan.com/vulnerability/c719922e-b2b3-452f-856a-5cc983a4ac18/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'DL Verification' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate dl-verification

Remove Admin XSS Capabilities

all

Implement additional input validation for plugin settings

🧯 If You Can't Patch

Remove admin access from untrusted users and implement strict access controls
Implement web application firewall rules to detect and block XSS payloads in plugin settings

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for DL Verification version 1.2 or earlier

Check Version:

wp plugin list --name=dl-verification --field=version

Verify Fix Applied:

Verify plugin version is 1.3 or later in WordPress admin plugins page

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to plugin settings
Admin users making unexpected changes to DL Verification configuration

Network Indicators:

JavaScript payloads in POST requests to wp-admin/admin.php?page=dl-verification

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND query_string="page=dl-verification") AND request_body CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2024-6798

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (22.9th percentile)

Published: May 15, 2025

Last Updated: June 9, 2025

🔗 References

https://wpscan.com/vulnerability/c719922e-b2b3-452f-856a-5cc983a4ac18/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6798, you might also want to check these: