CVE-2024-13515

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in all versions up to and including 2.28.0. The vulnerability exists because the plugin passes the unsanitized 'path' parameter from the URL directly into an iframe src attribute on the settings preview page, allowing an attacker to inject arbitrary JavaScript. The insufficient input sanitization and output escaping makes it possible for unauthenticated attackers to craft a malicious link that, when clicked by a logged-in administrator, will execute the attacker's script in the context of the WordPress admin panel [1].

The attack surface is low complexity: the attacker does not need any authentication, and the only user interaction required is a click on a crafted link. The malicious 'path' parameter is included in the iframe's source URL, which loads a separate HTML page that then uses the value to construct a script element's source. The commit that fixes the issue removes the 'path' parameter entirely and uses a hardcoded relative path instead [1].

If exploited, an attacker could execute arbitrary web scripts in the browser of an administrator who clicks the malicious link. This could lead to theft of cookies, session tokens, or other sensitive information, as well as performing actions on behalf of the admin, such as modifying plugin settings or creating new administrative users. The impact is limited by the need for social engineering, but the lack of authentication requirements lowers the barrier for attackers.

A patch was released in version 2.29.0, which completely removes the 'path' parameter from the iframe URL and hardcodes the script source to a relative path that cannot be manipulated by an attacker. Users are strongly advised to update to the latest version. No known workarounds are available for previous versions beyond applying the patch.