CVE-2024-6625

Vulnerability

Overview

The WP Total Branding plugin for WordPress, up to version 1.2, is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping in its admin settings. This flaw allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts, which are stored and executed when any user accesses the affected page [1].

Exploitation

Prerequisites

Exploitation requires an attacker to have administrator-level access on a WordPress installation. Notably, the vulnerability is only exploitable on multi-site installations or on single-site installations where the unfiltered_html capability has been disabled. Under these configurations, the plugin fails to properly sanitize inputs before saving them, enabling the injection of malicious script code into plugin settings that are later rendered on administrative pages [1].

Impact

A successful attack allows the injection of persistent JavaScript, which executes in the context of any user visiting the compromised admin page. This can lead to session hijacking, forced administrative actions, defacement, or redirection to malicious sites. Because the attacker already possesses administrator privileges, the primary risk involves privilege escalation within multi-site networks or further compromise of users who interact with the injected content [1].

Mitigation

As of the publication date (July 12, 2024), the vulnerability remains unpatched. The plugin's official page does not indicate a fixed version, and users are advised to restrict access to the plugin settings to trusted administrators only. For multi-site installations, administrators should carefully vet any user granted the super-admin role. Removing or disabling the plugin until a security update is released is recommended [1].