CVE-2024-8664
📋 TL;DR
The WP Test Email WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts via crafted URLs. When users click malicious links, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using WP Test Email plugin versions 1.1.7 and earlier are affected.
💻 Affected Systems
- WP Test Email WordPress Plugin
📦 What is this software?
Wp Test Email by Boopathirajan
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access to WordPress, install backdoors, deface websites, or exfiltrate sensitive data.
Likely Case
Attackers steal user session cookies, redirect users to phishing sites, or perform limited actions within the user's current session context.
If Mitigated
With proper web application firewalls and security headers, malicious scripts are blocked or sanitized before execution.
🎯 Exploit Status
Exploitation requires social engineering to trick users into clicking malicious links. Technical exploitation is straightforward once a malicious link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Test Email plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.1.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable WP Test Email Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-test-email
Implement Content Security Policy
allAdd CSP headers to prevent script execution from untrusted sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in URLs
- Disable the WP Test Email plugin completely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP Test Email version. If version is 1.1.7 or lower, system is vulnerable.Check Version:
wp plugin get wp-test-email --field=versionVerify Fix Applied:
Verify WP Test Email plugin version is 1.1.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs with script tags in WordPress access logs
- Multiple failed attempts to access wp-test-email endpoints with suspicious parameters
Network Indicators:
- HTTP requests containing <script> tags in query parameters to wp-test-email endpoints
- Unusual redirects from wp-test-email plugin pages
SIEM Query:
source="wordpress_access.log" AND uri="*wp-test-email*" AND (query="*<script>*" OR query="*javascript:*")🔗 References
- https://plugins.trac.wordpress.org/browser/wp-test-email/tags/1.1.7/wp-test-email.php#L189
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150538%40wp-test-email&new=3150538%40wp-test-email&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/70c1ee04-cfb1-4819-95ab-497e814da16f?source=cve
