CVE-2024-13624 Scanner

The WordPress WPMovieLibrary Plugin is a popular tool used primarily by webmasters and content creators on WordPress platforms to manage and present movie libraries. It serves users ranging from film enthusiasts to educational institutions needing a robust solution for film cataloging. The plugin is appreciated for its ability to facilitate the organization of extensive movie databases with ease. It offers detailed movie information, including covers, actors, and directors, enhancing the catalog's appeal. Its flexibility to integrate with WordPress themes makes it a top choice for film-focused sites. Furthermore, its straightforward interface helps expedite the process of updating and managing movie entries.

The Cross-Site Scripting (XSS) vulnerability found in the WordPress WPMovieLibrary Plugin allows attackers to inject malicious scripts into web pages viewed by other users. This type of attack exploits user inputs that are not properly sanitized before being displayed. By leveraging XSS, attackers can execute scripts in the context of a user's session, often leading to unauthorized actions. In this case, the 'order' parameter within the import page of the plugin is vulnerable. Failure to properly sanitize this input can enable execution of arbitrary JavaScript code in a browser, potentially compromising user data and control.

Technically, the vulnerability involves the 'order' parameter of the plugin's import page, which fails to sanitize user-provided input. When output is returned to the user's browser, unescaped input can be executed. The vulnerability is detected during reflected XSS attacks, where a user is tricked into clicking a malicious link. Upon exploitation, arbitrary code is executed within the administrator's browser, providing avenues for further compromise. The POST request to the site's login and subsequent GET request to the admin page with insecure scripts highlights the endpoint's susceptibility. This vulnerability can result in unauthorized actions and data exposure.

The potential effects of exploiting this XSS vulnerability include unauthorized actions within the user and especially administrator accounts. Attacks could result in session hijacking, defacement, or redirection to malicious sites. Sensitive information can be intercepted or manipulated by attackers. Moreover, compromised administrator sessions could yield complete control over WordPress sites, an entry point for further exploits. The security breach may lead to loss of user trust and damage to the organization's reputation. Additionally, attackers could escalate privileges or install backdoors, making further breaches more accessible.

REFERENCES

• https://wpscan.com/vulnerability/c19b56cc-634f-420f-b6a0-9a10ad159049
• https://nvd.nist.gov/vuln/detail/CVE-2024-13624