Microsoft Clarity Vulnerability- Cross-Site Request Forgery to Stored Cross-Site Scripting – CVE-2024-0590 |WordPress Plugin Vulnerability Report
Plugin Name: Microsoft Clarity
Key Information:
- Software Type: Plugin
- Software Slug: microsoft-clarity
- Software Status: Active
- Software Author: sammartin
- Software Downloads: 312,923
- Active Installs: 70,000
- Last Updated: February 27, 2024
- Patched Versions: 0.9.4
- Affected Versions: <= 0.9.3
Vulnerability Details:
- Name: Microsoft Clarity <= 0.9.3
- Title: Cross-Site Request Forgery to Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0590
- CVSS Score: 6.1
- Publicly Published: February 16, 2024
- Researcher: kodaichodai
- Description: The Microsoft Clarity plugin for WordPress, a tool designed to provide insights into website usage and user behavior, harbors a critical vulnerability in versions up to 0.9.3. This flaw, stemming from a lack of nonce validation in the
edit_clarity_project_id()
function, paves the way for Cross-Site Request Forgery (CSRF) attacks. Such vulnerabilities enable unauthenticated attackers to manipulate the plugin's settings, specifically the project ID, to inject malicious JavaScript code. The exploit hinges on deceiving an authenticated site administrator into executing an unintended action, such as clicking a malicious link.
Summary:
Microsoft Clarity, a valuable plugin for WordPress users seeking detailed analytics on user engagement, faces a significant security risk due to a CSRF vulnerability that transitions into stored XSS. This vulnerability, present in versions up to and including 0.9.3, has been effectively addressed in the latest patch, version 0.9.4.
Detailed Overview:
Discovered by security researcher kodaichodai, this vulnerability exposes websites to potential unauthorized script injections, which could lead to compromised user data, unauthorized administrative actions, and a tarnished user experience. The specific nature of the vulnerability requires the attacker to lure an administrator into clicking a specially crafted link, which, upon execution, alters the plugin's project ID to execute the attacker's script. The release of version 0.9.4 introduces necessary nonce validations, mitigating the risk associated with this vulnerability.
Advice for Users:
- Immediate Action: Administrators using the Microsoft Clarity plugin should promptly update to version 0.9.4 to neutralize this security threat.
- Check for Signs of Vulnerability: Vigilance is key. Administrators should review their plugin settings, particularly the Clarity project ID, for unauthorized changes and remain cautious of phishing attempts aimed at exploiting this vulnerability.
- Alternate Plugins: While the patched version restores security, users might explore alternative analytics plugins, ensuring they prioritize security features and regular updates.
- Stay Updated: The cornerstone of a secure WordPress site is the commitment to regular updates. Ensuring all plugins, themes, and the WordPress core are up-to-date is fundamental in safeguarding against known vulnerabilities.
Conclusion:
The swift identification and resolution of CVE-2024-0590 within the Microsoft Clarity plugin highlight the critical role of proactive security measures in the digital ecosystem. For small business owners managing WordPress sites, this incident serves as a poignant reminder of the importance of maintaining up-to-date plugins and implementing comprehensive security strategies. Leveraging automatic updates, staying informed about emerging vulnerabilities, and engaging in regular site security audits are indispensable practices for securing online assets against evolving cyber threats.
References:
- Wordfence Vulnerability Report for Microsoft Clarity
- Wordfence Vulnerability Database for Microsoft Clarity