CVE-2024-7313 Scanner

Shield Security Plugin is a widely-used WordPress plugin designed to enhance site security through features like firewall protection, login protection, and user monitoring. It is trusted by administrators to defend against common attacks such as brute force, malware, and unauthorized access. The plugin integrates tightly with the WordPress admin panel and offers extensive configuration options. It is commonly used by individuals and businesses looking for automated security hardening. With both free and premium features, Shield Security is present in a large number of WordPress installations. Its integration into sensitive admin areas increases its impact when vulnerabilities are discovered.

This scanner detects a reflected Cross-Site Scripting (XSS) vulnerability in versions of the Shield Security Plugin prior to 20.0.6. The vulnerability affects the `nav_sub` parameter in the plugin’s admin page, where user input is not properly sanitized. Authenticated users can inject JavaScript payloads that will execute in the context of other logged-in administrators. This can be used to hijack sessions, steal cookies, or perform unauthorized actions on behalf of the victim. The flaw is especially dangerous in multi-user environments with shared admin access. The issue has been rated medium severity due to the authentication requirement, but the impact on confidentiality and integrity remains significant.

The vulnerability resides in the `admin.php` page within the WordPress dashboard, specifically when navigating to `?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=...`. By injecting a script tag in the `nav_sub` parameter, the payload is reflected and rendered in the response. The scanner reproduces the issue by first authenticating with provided credentials and then performing a crafted GET request. It checks the second response for the presence of the payload and a known plugin-specific string to confirm successful injection. This improper input handling is what allows the script to execute in the victim’s browser.

If exploited, this vulnerability can lead to a variety of attacks including stealing session cookies, redirecting users to malicious pages, and modifying plugin settings. Attackers can also escalate privileges by tricking an administrator into performing unintended actions. Since this is a reflected XSS, it requires the victim to click on a specially crafted link. However, in environments with multiple administrators, this attack becomes feasible and impactful. Mitigating this flaw is essential to preserve the integrity of the site’s security controls.

REFERENCES

• https://wpscan.com/vulnerability/83a1bdc6-098e-43d5-89e5-f4202ecd78a1/
• https://research.cleantalk.org/CVE-2024-7313/
• https://nvd.nist.gov/vuln/detail/CVE-2024-7313