Menu Icons by ThemeIsle Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload – CVE-2024-4635 | WordPress Plugin Vulnerability Report

Plugin Name: Menu Icons by ThemeIsle

Key Information:

  • Software Type: Plugin
  • Software Slug: menu-icons
  • Software Status: Active
  • Software Author: themeisle
  • Software Downloads: 3,529,569
  • Active Installs: 200,000
  • Last Updated: May 15, 2024
  • Patched Versions: 0.13.14
  • Affected Versions: <= 0.13.13

Vulnerability Details:

  • Name: Menu Icons by ThemeIsle <= 0.13.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-4635
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 15, 2024
  • Researcher: wesley (wcraft)
  • Description: The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_mime_type' function in versions up to, and including, 0.13.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Menu Icons by ThemeIsle plugin for WordPress has a vulnerability in versions up to and including 0.13.13 that allows authenticated attackers with author-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 0.13.14.

Detailed Overview:

The vulnerability was discovered by researcher wesley (wcraft) and is caused by insufficient input sanitization and output escaping in the 'add_mime_type' function. This vulnerability poses a risk of attackers injecting malicious scripts that can compromise the security of the affected website and its users. The vulnerability has been patched by the plugin developers in version 0.13.14.

Advice for Users:

  1. Immediate Action: Users are strongly encouraged to update the Menu Icons by ThemeIsle plugin to version 0.13.14 or later to ensure their WordPress installations are secure.
  2. Check for Signs of Vulnerability: Users should review their website for any suspicious or unexpected behavior, which may indicate that their site has been compromised.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 0.13.14 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/menu-icons

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/menu-icons/menu-icons-by-themeisle-01313-authenticated-author-stored-cross-site-scripting-via-svg-upload

Detailed Report:

Attention all WordPress users! In today's digital landscape, website security is of utmost importance. As a website owner, it's crucial to stay vigilant and keep your site updated to protect against potential vulnerabilities. We have recently discovered a critical security issue in the Menu Icons by ThemeIsle plugin, affecting versions up to and including 0.13.13. This vulnerability allows authenticated attackers with author-level permissions and above to inject malicious scripts into your website, potentially compromising its security and putting your users at risk.

Plugin Details

The Menu Icons by ThemeIsle plugin is a popular WordPress plugin that enhances menu navigation with custom icons. It has over 3,529,569 downloads and 200,000 active installations. The plugin is developed by themeisle and was last updated on May 15, 2024.

Vulnerability Details

The vulnerability, identified as CVE-2024-4635, is caused by insufficient input sanitization and output escaping in the 'add_mime_type' function. It allows authenticated attackers with author-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been assigned a CVSS score of 6.4 (Medium) and was publicly disclosed on May 15, 2024, by researcher wesley (wcraft).

Risks and Potential Impacts

This vulnerability poses a significant risk to the security of affected websites. Attackers can exploit this vulnerability to inject malicious scripts, potentially leading to:

  • Stealing sensitive user information
  • Defacing the website
  • Redirecting users to malicious sites
  • Compromising the overall security of the website

Remediation Steps

To address this vulnerability, the plugin developers have released a patched version, 0.13.14. We strongly recommend taking the following actions:

  1. Immediate Action: Update the Menu Icons by ThemeIsle plugin to version 0.13.14 or later to ensure your WordPress installation is secure.
  2. Check for Signs of Vulnerability: Review your website for any suspicious or unexpected behavior, which may indicate that your site has been compromised.
  3. Consider Alternate Plugins: While a patch is available, you might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins, themes, and WordPress core are updated to the latest versions to avoid vulnerabilities.

Previous Vulnerabilities

It is worth noting that there has been 1 previous vulnerability in the Menu Icons by ThemeIsle plugin since February 2024. This highlights the importance of staying informed about potential security risks and taking prompt action when vulnerabilities are discovered.

The Importance of Staying on Top of Security Vulnerabilities

As a small business owner, managing a WordPress website can be challenging, especially when it comes to staying on top of security vulnerabilities. However, neglecting website security can have severe consequences, such as data breaches, loss of customer trust, and damage to your brand reputation. By regularly updating your plugins, themes, and WordPress core, you can significantly reduce the risk of falling victim to known vulnerabilities.

If you find it difficult to keep up with the latest security updates, consider partnering with a reliable website maintenance and security service provider. They can help you monitor your website for potential vulnerabilities, perform regular updates, and implement security best practices, allowing you to focus on running your business.

Remember, investing in website security is crucial for protecting your business, your customers, and your online presence. Stay vigilant, keep your website updated, and don't hesitate to seek professional help when needed.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Menu Icons by ThemeIsle Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload – CVE-2024-4635 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment