Mesmerize Companion Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode – CVE-2024-3494 | WordPress Plugin Vulnerability Report

Plugin Name: Mesmerize Companion

Key Information:

  • Software Type: Plugin
  • Software Slug: mesmerize-companion
  • Software Status: Active
  • Software Author: horearadu
  • Software Downloads: 1,857,988
  • Active Installs: 80,000
  • Last Updated: May 7, 2024
  • Patched Versions: 1.6.149
  • Affected Versions: <= 1.6.148

Vulnerability Details:

  • Name: Mesmerize Companion <= 1.6.148 - Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-3494
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 7, 2024
  • Researcher: stealthcopter
  • Description: The Mesmerize Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mesmerize_contact_form' shortcode in all versions up to, and including, 1.6.148 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Mesmerize Companion plugin for WordPress has a vulnerability in versions up to and including 1.6.148 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages via the plugin's 'mesmerize_contact_form' shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This vulnerability has been patched in version 1.6.149.

Detailed Overview:

The vulnerability was discovered by security researcher stealthcopter, who found that the Mesmerize Companion plugin did not properly sanitize and escape user input in the 'mesmerize_contact_form' shortcode. This allows authenticated attackers with contributor-level access and above to inject malicious scripts that would execute whenever a user visits an affected page. The vulnerability poses a risk of unauthorized access, data theft, and website defacement.

Advice for Users:

  1. Immediate Action: Users should update the Mesmerize Companion plugin to version 1.6.149 or later to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review your website for any suspicious or unauthorized modifications, especially on pages containing the 'mesmerize_contact_form' shortcode.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.6.149 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mesmerize-companion

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mesmerize-companion/mesmerize-companion-16148-authenticated-contributor-stored-cross-site-scripting-via-mesmerize-contact-form-shortcode

Detailed Report:

As a website owner, keeping your site secure should always be a top priority. Vulnerabilities in plugins and themes can leave your site exposed to potential threats, compromising your data and your users' information. In this post, we'll discuss a recently discovered vulnerability in the Mesmerize Companion plugin for WordPress and the crucial steps you need to take to protect your website.

Plugin Details

The Mesmerize Companion plugin, which has over 80,000 active installations and nearly 2 million downloads, is a popular choice among WordPress users. Developed by horearadu, the plugin is designed to enhance the functionality of the Mesmerize theme. As of May 7, 2024, the latest patched version of the plugin is 1.6.149, addressing the recently discovered vulnerability.

Vulnerability Details

The vulnerability, identified as CVE-2024-3494, affects all versions of the Mesmerize Companion plugin up to and including 1.6.148. It allows authenticated attackers with contributor-level access and above to inject malicious scripts into pages via the plugin's 'mesmerize_contact_form' shortcode. The vulnerability was discovered by security researcher stealthcopter and is classified as an "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" issue with a CVSS score of 6.4 (Medium).

Risks and Potential Impacts

The risk posed by this vulnerability is significant, as it can lead to unauthorized access, data theft, and website defacement. Attackers can exploit this flaw to execute arbitrary web scripts on affected pages, potentially harming your website and your users. This vulnerability puts your website's security and reputation at risk, making it crucial to take immediate action.

Remediation Steps

To mitigate the risk associated with this vulnerability, it is essential to update the Mesmerize Companion plugin to version 1.6.149 or later immediately. The plugin developers have promptly released a patch to address this vulnerability, emphasizing the importance of timely updates. Additionally, website owners should review their sites for any suspicious or unauthorized modifications, especially on pages containing the 'mesmerize_contact_form' shortcode.

Previous Vulnerabilities

It is worth noting that the Mesmerize Companion plugin has had one previous vulnerability since December 2022. This underscores the importance of regularly monitoring and updating your WordPress plugins to ensure your website's security.

The Importance of Staying Vigilant

As a small business owner with a WordPress website, it can be challenging to stay on top of security vulnerabilities and updates. However, neglecting these critical aspects of website maintenance can have severe consequences for your business. By regularly updating your plugins, themes, and WordPress core, you can significantly reduce the risk of falling victim to security breaches and protect your website, your data, and your users' information.

If you are unsure about how to proceed or need assistance with updating your plugins and maintaining your website's security, consider reaching out to a professional WordPress support service or your web developer. They can help you navigate the complexities of website security and ensure that your site remains protected against potential threats.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Mesmerize Companion Vulnerability - Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode - CVE-2024-3494 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment