Lightbox & Modal Popup WordPress Plugin – FooBox Vulnerability – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes – CVE-2024-5668 | WordPress Plugin Vulnerability Report

Plugin Name: Lightbox & Modal Popup WordPress Plugin – FooBox

Key Information:

  • Software Type: Plugin
  • Software Slug: foobox-image-lightbox
  • Software Status: Active
  • Software Author: bradvin
  • Software Downloads: 2,407,136
  • Active Installs: 100,000
  • Last Updated: August 12, 2024
  • Patched Versions: 2.7.32
  • Affected Versions: <= 2.7.28

Vulnerability Details:

  • Name: Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.28
  • Title: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
  • Type: Stored DOM-Based Cross-Site Scripting (XSS)
  • CVE: CVE-2024-5668
  • CVSS Score: 6.4
  • Publicly Published: August 7, 2024
  • Researcher: Webbernaut
  • Description: The Lightbox & Modal Popup WordPress Plugin – FooBox is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 2.7.28. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes, which allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the affected page.

Summary:

The Lightbox & Modal Popup WordPress Plugin – FooBox for WordPress has a vulnerability in versions up to and including 2.7.28 that allows authenticated (Contributor+) stored DOM-based cross-site scripting via HTML data attributes. This vulnerability has been patched in version 2.7.32.

Detailed Overview:

The Lightbox & Modal Popup WordPress Plugin – FooBox is a popular plugin that enhances websites by allowing users to create lightbox popups for images and other content. However, a serious security vulnerability was discovered in the plugin, identified as CVE-2024-5668. This vulnerability, discovered by security researcher Webbernaut, is due to insufficient input sanitization and output escaping on HTML data attributes provided by users. The flaw allows authenticated attackers with Contributor-level access to inject malicious scripts into web pages. These scripts can execute when the page is accessed, leading to unauthorized actions and potential data breaches.

This vulnerability has a CVSS score of 6.4, indicating a moderate to high risk. The issue was publicly disclosed on August 7, 2024, and affects all versions of the FooBox plugin up to and including 2.7.28. The developers at bradvin responded promptly by releasing a patched version, 2.7.32, on August 12, 2024, to address this issue.

Advice for Users:

Immediate Action: Users are strongly encouraged to update to version 2.7.32 immediately to mitigate the risk of DOM-based cross-site scripting attacks.
Check for Signs of Vulnerability: Users should inspect their sites for any unusual scripts or behaviors, particularly if they have used HTML data attributes in FooBox.
Alternate Plugins: While a patch is available, users might consider exploring alternative plugins that offer similar functionality as an extra precaution.
Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities and protect your website’s integrity.

Conclusion:

The prompt response from the FooBox development team to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.7.32 or later to secure their WordPress installations. For small business owners, staying on top of security vulnerabilities might seem overwhelming, but it is essential for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is crucial in safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don’t hesitate to seek professional help. Staying informed and proactive is key to maintaining a secure and trustworthy website.

References:

Detailed Report: 

Keeping your WordPress website up to date is crucial for maintaining its security and protecting it from potential threats. Regularly updating plugins is one of the most effective ways to prevent your site from being compromised by newly discovered vulnerabilities. Recently, a significant security issue was identified in the Lightbox & Modal Popup WordPress Plugin – FooBox, a popular tool used by many website owners to create lightbox popups for images and other content. This vulnerability, identified as CVE-2024-5668, poses a serious risk by allowing attackers with Contributor-level access to inject malicious scripts into your site through HTML data attributes. These scripts can execute whenever a user accesses the compromised page, leading to unauthorized actions and potential data breaches.

Summary:

The Lightbox & Modal Popup WordPress Plugin – FooBox for WordPress has a vulnerability in versions up to and including 2.7.28 that allows authenticated (Contributor+) stored DOM-based cross-site scripting via HTML data attributes. This vulnerability has been patched in version 2.7.32.

Detailed Overview:

FooBox is a widely-used WordPress plugin that enhances websites by enabling the creation of lightbox popups for images and other types of content. However, a significant vulnerability was recently discovered in the plugin, identified as CVE-2024-5668. Discovered by security researcher Webbernaut, this flaw is due to inadequate input sanitization and output escaping on HTML data attributes provided by users. The vulnerability allows authenticated users with Contributor-level access to inject malicious scripts into web pages. These scripts can then execute whenever a user accesses the compromised page, leading to unauthorized actions, data breaches, and other security issues.

The vulnerability has been assigned a CVSS score of 6.4, indicating a moderate to high risk. The issue was publicly disclosed on August 7, 2024, and affects all versions of the FooBox plugin up to and including 2.7.28. In response to this discovery, the developers at bradvin acted quickly, releasing a patched version, 2.7.32, on August 12, 2024, to address the vulnerability.

Risks and Potential Impacts:

This vulnerability poses significant risks to websites using the FooBox plugin, particularly those allowing Contributor-level access. An attacker could exploit this flaw to inject harmful scripts into a page, which would execute whenever a user visits the compromised page. The consequences could include unauthorized actions, such as data breaches or further exploitation of the site, all of which could severely impact a website’s security and integrity.

Remediation:

To protect your site, it is critical to update the FooBox plugin to the latest version, 2.7.32, immediately. This update addresses the vulnerability and mitigates the risk of DOM-based cross-site scripting attacks. In addition to updating, site owners should inspect their websites for any unusual scripts or behaviors, especially if they have used HTML data attributes in FooBox. While the patch addresses the current issue, regularly updating all plugins and conducting security audits are essential practices for maintaining a secure WordPress site.

Overview of Previous Vulnerabilities:

Since February 25, 2019, the FooBox plugin has had three previous vulnerabilities reported. This history underscores the importance of regular updates and proactive security measures to protect your website from emerging threats. Although the plugin’s developers have been responsive in addressing these issues, it highlights the need for ongoing vigilance.

Conclusion:

The prompt response from the FooBox development team to patch this vulnerability underscores the importance of timely updates. For small business owners, staying on top of security vulnerabilities might seem overwhelming, but it is crucial for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is key to safeguarding your site against potential threats. If you need assistance or have concerns about your website’s security, don’t hesitate to seek professional help. Staying informed and proactive is essential to maintaining a secure and trustworthy website.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Lightbox & Modal Popup WordPress Plugin – FooBox Vulnerability – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes – CVE-2024-5668 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment