Login Sign Up

CVE-2024-7655

4.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows authenticated attackers with administrator-level access to inject malicious scripts into WordPress pages using the PeepSo plugin. The scripts execute when users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. Only multi-site WordPress installations or those with unfiltered_html disabled are affected.

💻 Affected Systems

Products:
  • PeepSo - Social Network, Membership, Registration, User Profiles WordPress plugin
Versions: All versions up to and including 6.4.5.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ✅ No
Notes: Only affects WordPress multi-site installations or installations where unfiltered_html capability is disabled.

📦 What is this software?

Peepso by Peepso

View all CVEs affecting Peepso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Session hijacking, credential theft, or defacement of affected pages by malicious administrators.

🟢

If Mitigated

Limited impact due to requiring administrator access and specific WordPress configurations.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires administrator-level authenticated access and specific WordPress configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.6.0

Vendor Advisory: https://www.peepso.com/6-4-6-0/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find PeepSo plugin. 4. Click 'Update Now' or manually update to version 6.4.6.0+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable unfiltered_html capability

all

Enable unfiltered_html capability for administrators to prevent exploitation (if currently disabled).

Add define('DISALLOW_UNFILTERED_HTML', false); to wp-config.php

Restrict administrator accounts

all

Limit administrator accounts to trusted users only and implement strong access controls.

🧯 If You Can't Patch

  • Remove administrator access from untrusted users immediately.
  • Implement web application firewall (WAF) rules to block XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > PeepSo version. If version is 6.4.5.0 or lower, you are vulnerable.

Check Version:

wp plugin list --name=peepso-core --field=version

Verify Fix Applied:

Confirm PeepSo plugin version is 6.4.6.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual administrator activity, unexpected script tags in page content, or POST requests with script payloads to admin endpoints.

Network Indicators:

  • Suspicious JavaScript in HTTP responses from WordPress pages.

SIEM Query:

source="wordpress.log" AND ("script" OR "javascript" OR "onload" OR "onerror") AND "admin"

📊 Metadata

CVE ID: CVE-2024-7655
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: September 10, 2024
Last Updated: September 19, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7655, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)