VK All in One Expansion Unit – Authenticated (Contributor+) Stored Cross-Site Scripting via className – CVE-2024-2170 |WordPress Plugin Vulnerability Report

Plugin Name: VK All in One Expansion Unit

Key Information:

• Software Type: Plugin
• Software Slug: vk-all-in-one-expansion-unit
• Software Status: Active
• Software Author: kurudrive
• Software Downloads: 5,085,263
• Active Installs: 100,000
• Last Updated: March 25, 2024
• Patched Versions: 9.97.0.0
• Affected Versions: <= 9.96.0.1

Vulnerability Details:

• Name: VK All in One Expansion Unit <= 9.96.0.1
• Title: Authenticated (Contributor+) Stored Cross-Site Scripting via className
• Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• CVE: CVE-2024-2170
• CVSS Score: 6.4
• Publicly Published: March 25, 2024
• Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI ST
• Description: The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient input sanitization and output escaping on user-supplied attributes such as 'className.' This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The VK All in One Expansion Unit for WordPress has a vulnerability in versions up to and including 9.96.0.1 that allows authenticated users with contributor-level or higher permissions to perform stored cross-site scripting via the 'className' attribute in the child page index widget. This vulnerability has been patched in version 9.97.0.0.

Detailed Overview:

The vulnerability discovered by Ngô Thiên An of VNPT-VCI ST involves insufficient input sanitization and output escaping, particularly in the handling of the 'className' attribute within the child page index widget. This oversight allows attackers to embed malicious scripts that are executed when other users access the compromised page. The risks associated with this vulnerability include potential unauthorized access to user data, session hijacking, and other malicious activities that compromise the integrity and confidentiality of user data and website functionality.

Advice for Users:

• Immediate Action: Update to version 9.97.0.0 immediately to patch this vulnerability.
• Check for Signs of Vulnerability: Review your website pages for any unusual or unauthorized content, especially within the child page index widgets.
• Alternate Plugins: While a patch is available, consider exploring similar functionality plugins as a precautionary measure.
• Stay Updated: Regularly update all plugins to their latest versions to mitigate the risks of vulnerabilities.

Conclusion:

The swift action by the developers of the VK All in One Expansion Unit plugin to release a patch highlights the critical nature of maintaining up-to-date software on your WordPress site. Users should ensure their installations are updated to version 9.97.0.0 or later to safeguard against this and potentially other vulnerabilities.

References:

• Wordfence Vulnerability Report on VK All in One Expansion Unit
• Wordfence Plugin Vulnerabilities Overview

Detailed Report: 

In today's fast-paced digital landscape, where small business owners juggle numerous responsibilities, the security of a WordPress website can often take a backseat. However, neglecting this critical aspect can have far-reaching consequences, as highlighted by the recent discovery of a significant vulnerability in the VK All in One Expansion Unit plugin. This incident serves as a stark reminder of the importance of maintaining up-to-date website components to safeguard against potential cyber threats.

VK All in One Expansion Unit: A Popular Choice with a Critical Flaw

The VK All in One Expansion Unit plugin, developed by kurudrive, is a versatile tool favored by over 100,000 WordPress sites for its array of functionalities designed to enhance website performance. Despite its popularity and the developers' commitment to regular updates, the plugin has been identified with a severe security flaw. Tagged with CVE-2024-2170, this vulnerability allows authenticated users with contributor-level access or higher to perform stored cross-site scripting (XSS) attacks via the 'className' attribute in the child page index widget.

Understanding the Vulnerability and Its Impacts

Stored XSS vulnerabilities like CVE-2024-2170 are particularly dangerous as they enable attackers to inject malicious scripts into web pages, which are then executed by unsuspecting users. This can lead to unauthorized data access, session hijacking, and potentially, a complete compromise of the affected website. The risk is compounded by the plugin's widespread use and the ease with which such attacks can be executed by individuals with minimal permissions.

A Pattern of Vulnerabilities

It's worth noting that this isn't an isolated incident for the VK All in One Expansion Unit plugin. Since February 3, 2023, four other vulnerabilities have been reported, signaling a pattern that demands attention and action from both the developers and the plugin's users.

Immediate Remediation Steps

The developers have promptly released a patched version, 9.97.0.0, to address this vulnerability. Users are strongly advised to update their plugin installations immediately to this version or later to mitigate the risk. Additionally, website owners should conduct regular reviews for unauthorized content and consider employing alternative plugins that offer similar functionalities but with a stronger security record.

The Critical Nature of Cybersecurity Vigilance

For small business owners, staying abreast of every security update and vulnerability might seem like a daunting task. However, the potential repercussions of a security breach—a tarnished reputation, loss of customer trust, and financial liabilities—far outweigh the effort required to maintain a secure online presence. Leveraging automated update features, subscribing to security blogs or newsletters, and partnering with cybersecurity professionals can significantly reduce the burden of staying informed and protected.

In Conclusion

The VK All in One Expansion Unit vulnerability underscores a critical lesson for small business owners: the importance of proactive cybersecurity practices. In an era where digital threats are ever-present and evolving, the security of your WordPress site cannot be overlooked. Regular updates, vigilant monitoring for unusual activities, and a readiness to act swiftly in the face of vulnerabilities are paramount in protecting your digital assets and, by extension, your business's reputation and bottom line. Remember, in the realm of cybersecurity, an ounce of prevention is truly worth a pound of cure.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.