Lightbox & Modal Popup WordPress Plugin – FooBox Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2024-3276 | WordPress Plugin Vulnerability Report

Plugin Name: Lightbox & Modal Popup WordPress Plugin – FooBox

Key Information:

  • Software Type: Plugin
  • Software Slug: foobox-image-lightbox
  • Software Status: Active
  • Software Author: bradvin
  • Software Downloads: 2,339,156
  • Active Installs: 100,000
  • Last Updated: June 11, 2024
  • Patched Versions: <= 2.7.27
  • Affected Versions: 2.7.28

Vulnerability Details:

  • Name: Lightbox & Modal Popup WordPress Plugin – FooBox (Free and Premium) <= 2.7.27
  • Title: Authenticated (Admin+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3276
  • CVSS Score: 4.4
  • Publicly Published: May 28, 2024
  • Researcher: Dmitrii Ignatyev - CleanTalk Inc
  • Description: The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
  • References: Wordfence Report, Wordfence Analysis

Summary:

The Lightbox & Modal Popup WordPress Plugin – FooBox for WordPress has a vulnerability in versions up to and including 2.7.27 that allows authenticated (Admin+) attackers to execute Stored Cross-Site Scripting. This vulnerability has been patched in version 2.7.28.

Detailed Overview:

The vulnerability, reported by Dmitrii Ignatyev of CleanTalk Inc, lies in insufficient input sanitization and output escaping in the admin settings of the plugin. This allows attackers with administrator-level permissions to inject malicious scripts into pages, potentially leading to various risks including data theft, defacement, and malware distribution. To remediate this vulnerability, users are strongly advised to update their plugin to version 2.7.28 or later.

Advice for Users:

  • Immediate Action: Update to patched version 2.7.28 immediately.
  • Check for Signs of Vulnerability: Look for unusual behavior on your website, such as unexpected popups or redirects.
  • Alternate Plugins: Consider using alternative plugins temporarily while awaiting the patch implementation.
  • Stay Updated: Regularly update all plugins to their latest versions to avoid vulnerabilities.

Conclusion:

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.7.28 or later to secure their WordPress installations.

References:

Detailed Report

Ensuring Website Security: The Urgency of Plugin Updates

In today's digital landscape, maintaining the security of your website is paramount. With the ever-evolving threat landscape, vulnerabilities in website plugins pose significant risks to website owners and users alike. Recently, a security vulnerability has been identified in the Lightbox & Modal Popup WordPress Plugin – FooBox, shedding light on the critical importance of keeping your website's plugins up to date.

Introduction to Plugin:

The Lightbox & Modal Popup WordPress Plugin – FooBox, developed by bradvin, is a popular choice among WordPress users for creating responsive image galleries. With over 100,000 active installs and millions of downloads, it's clear that FooBox is a widely trusted solution for enhancing website functionality.

Details of Vulnerability:

The vulnerability, authenticated (Admin+) Stored Cross-Site Scripting (CVE-2024-3276), poses a significant threat to website security. In vulnerable versions up to and including 2.7.27, attackers with administrator-level permissions can exploit insufficient input sanitization and output escaping to inject malicious scripts into web pages.

Risks and Potential Impacts:

The consequences of such an attack range from data theft to malware distribution, posing severe threats to website integrity and user security. Furthermore, previous vulnerabilities identified since February 25, 2019, highlight the persistent nature of plugin vulnerabilities and the importance of proactive security measures.

How to Remediate the Vulnerability:

To safeguard against this vulnerability, website owners are strongly advised to promptly update their FooBox plugin to the patched version 2.7.28 or later. Additionally, implementing proactive security measures such as regular plugin updates, monitoring for signs of vulnerability, and considering alternative plugins can help fortify your website's defenses against potential exploits.

The Importance of Staying on Top of Security Vulnerabilities:

For small business owners managing WordPress websites, staying on top of security vulnerabilities may seem like a daunting task. However, neglecting these crucial updates can result in significant risks to your business's online presence, reputation, and, ultimately, your bottom line. By prioritizing website security and adopting proactive measures, you can mitigate potential risks and safeguard your business's digital assets.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Lightbox & Modal Popup WordPress Plugin – FooBox Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2024-3276 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment