CVE-2024-6887
📋 TL;DR
The RafflePress WordPress plugin before version 1.12.16 has a stored cross-site scripting (XSS) vulnerability in its Giveaways settings. This allows authenticated users with editor-level privileges or higher to inject malicious scripts that execute when other users view affected pages. The vulnerability bypasses WordPress's unfiltered_html restrictions, making it particularly dangerous in multisite configurations.
💻 Affected Systems
- Giveaways and Contests by RafflePress WordPress Plugin
📦 What is this software?
Rafflepress by Seedprod
⚠️ Risk & Real-World Impact
Worst Case
An attacker with editor privileges could inject malicious JavaScript that steals administrator credentials, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious editors could inject advertising scripts, deface content, or steal session cookies from other users viewing the affected giveaway pages.
If Mitigated
With proper user access controls and regular plugin updates, the risk is limited to trusted editor users who would need to intentionally exploit the vulnerability.
🎯 Exploit Status
Exploitation requires editor-level privileges or higher. The vulnerability is straightforward to exploit once an attacker has the required access level.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.16
Vendor Advisory: https://wpscan.com/vulnerability/553806f4-da20-433c-8c19-35e6c87ccade/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Giveaways and Contests by RafflePress'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.12.16+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the RafflePress plugin until it can be updated to a secure version.
wp plugin deactivate rafflepress
Restrict Editor Privileges
allTemporarily downgrade or remove editor roles from untrusted users.
wp user set-role <username> author
🧯 If You Can't Patch
- Implement strict user access controls and audit all users with editor privileges or higher
- Install a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 1.12.16, the site is vulnerable.Check Version:
wp plugin get rafflepress --field=versionVerify Fix Applied:
Confirm the plugin version is 1.12.16 or higher and test giveaway functionality to ensure no script injection occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to giveaway settings endpoints
- JavaScript payloads in giveaway content fields
Network Indicators:
- Unexpected script tags in giveaway page responses
- External script loads from giveaway content
SIEM Query:
source="wordpress.log" AND ("rafflepress" OR "giveaway") AND ("script" OR "javascript" OR "onclick")