CVE-2024-13628 Scanner

The WP Pricing Table plugin is commonly used by website developers and WordPress site owners to create sortable and customizable pricing tables on their sites. It is developed by CodeCabin and provides a user-friendly interface for presenting pricing information effectively. Companies and individuals using WordPress platforms can leverage this plugin to showcase different pricing plans or features in a comparative format. It is frequently utilized in e-commerce or online service businesses to highlight tiered pricing structures conveniently. Users rely on this plugin for its ease of use in integrating complex pricing tables without needing extensive coding knowledge. By enhancing presentation and engagement, it's an important tool for improving sales and user interaction on WordPress sites.

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. In the context of the WP Pricing Table plugin, this XSS flaw enables attackers to run scripts as high-privilege users who view the malicious content. This is a common threat to web applications where user inputs are not correctly validated or sanitized. The vulnerability occurs because the application fails to adequately filter user inputs before rendering them on the web page. By exploiting XSS vulnerabilities, attackers can hijack user sessions, redirect users to malicious websites, or steal sensitive information. This issue is significant as it targets the interaction layer of web applications, focusing on manipulating user experience and access permissions.

The specific vulnerability in the WP Pricing Table plugin stems from improperly sanitized URL parameters, which can be manipulated to execute JavaScript in the context of the user's browser. The affected parameter can be found in the administrative interface of the plugin, where an attacker might craft a URL embedded with a script tag. When high privilege users click this URL, the script is executed leading to the potential compromise of their session. This flaw requires user interaction for the exploit to be successful, meaning the attacker needs to induce a user to visit a prepared URL. Testing for this vulnerability involves verifying the execution of alert scripts in the manipulated URL paths, observing for unwanted impacts on user session visibility or integrity.

Exploiting this vulnerability can lead to severe impacts such as session hijacking or identity theft if attackers gain access to cookies or session tokens of high-privilege users. The stolen sessions could give attackers administrative control over the WordPress site, resulting in data breaches or vandalism. Moreover, users authenticated through compromised sessions become susceptible to further social engineering attacks. Malicious actors could leverage control to deface websites, inject further malware, or create backdoors for persistent access. The disruption of site integrity can tarnish the business reputation, lead to loss of consumer trust, and expose sensitive customer data if not addressed promptly.

REFERENCES

• https://wpscan.com/vulnerability/34d6c8a2-e70d-485c-a217-4a569c16b079/