CVE-2024-7758
📋 TL;DR
The Stylish Price List WordPress plugin before version 7.1.8 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated users with contributor-level privileges or higher to inject malicious scripts that execute when other users view affected pages. The vulnerability bypasses WordPress's unfiltered_html restriction, making it particularly dangerous in multisite configurations.
💻 Affected Systems
- WordPress Stylish Price List plugin
📦 What is this software?
Stylish Price List by Stylishpricelist
⚠️ Risk & Real-World Impact
Worst Case
An attacker with contributor access could inject malicious JavaScript that steals administrator credentials, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Authenticated attackers inject malicious scripts into plugin settings that execute when administrators or other users view those settings pages, potentially stealing session cookies or performing unauthorized actions.
If Mitigated
With proper user access controls and regular security monitoring, the impact is limited to potential data exposure from affected user sessions, but site functionality remains intact.
🎯 Exploit Status
Exploitation requires contributor-level access or higher. The vulnerability is in plugin settings that lack proper input sanitization and output escaping.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.8
Vendor Advisory: https://wpscan.com/vulnerability/0bf39a29-a605-407b-9ab0-a82437d16153/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Stylish Price List' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 7.1.8+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level access to the WordPress site until patching can be completed.
Disable Plugin
linuxDeactivate the Stylish Price List plugin if not critically needed.
wp plugin deactivate stylish-price-list
🧯 If You Can't Patch
- Implement strict user access controls and limit contributor privileges
- Deploy web application firewall (WAF) rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Stylish Price List version. If version is below 7.1.8, the site is vulnerable.Check Version:
wp plugin get stylish-price-list --field=versionVerify Fix Applied:
Verify plugin version shows 7.1.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin settings endpoints
- JavaScript payloads in plugin-related form submissions
Network Indicators:
- Suspicious script tags in HTTP requests to wp-admin/admin-ajax.php or plugin-specific endpoints
SIEM Query:
source="wordpress.log" AND ("stylish-price-list" OR "spl_settings") AND ("script" OR "javascript" OR "onload" OR "onerror")