WP Chat App Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes – CVE-2024-1761 |WordPress Plugin Vulnerability Report
Plugin Name: WP Chat App
Key Information:
- Software Type: Plugin
- Software Slug: wp-whatsapp
- Software Status: Active
- Software Author: ninjateam
- Software Downloads: 880,497
- Active Installs: 100,000
- Last Updated: March 8, 2024
- Patched Versions: 3.6.2
- Affected Versions: <= 3.6.1
Vulnerability Details:
- Name: WP Chat App <= 3.6.1
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1761
- CVSS Score: 6.4
- Publicly Published: March 6, 2024
- Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
- Description: The WP Chat App plugin is found to be vulnerable to Stored Cross-Site Scripting (XSS) through insufficient sanitization and escaping of user-supplied attributes like 'buttonColor' and 'phoneNumber' in its widget/block. This flaw allows authenticated users with contributor-level permissions or higher to embed harmful scripts into web pages, compromising the security of any user accessing these pages.
Summary:
The WP Chat App, a widely used WordPress plugin that facilitates direct chat capabilities via WhatsApp integration, harbors a significant security flaw in versions up to 3.6.1. This vulnerability, identified as Authenticated Stored Cross-Site Scripting via Block Attributes, jeopardizes website integrity by enabling the injection and execution of arbitrary web scripts. A corrective update, version 3.6.2, has been released to address this issue.
Detailed Overview:
Discovered by cybersecurity researcher Ngô Thiên An, this vulnerability underscores the critical need for rigorous security practices in plugin development, particularly concerning input validation and data handling. The ability for attackers to exploit such vulnerabilities can lead to data breaches, unauthorized access, and a tarnished website reputation. The prompt issuance of a patched version by the developers, ninjateam, reflects a proactive approach to maintaining user trust and security.
Advice for Users:
- Immediate Action: Users are strongly advised to update their WP Chat App plugin to the patched version 3.6.2 without delay to mitigate the risk posed by this vulnerability.
- Check for Signs of Vulnerability: Regularly inspect your website for any anomalies or unauthorized changes that could indicate exploitation, focusing on areas where the plugin operates.
- Alternate Plugins: While the updated version is secure, exploring alternative chat plugins may be wise if they better align with security expectations and functional requirements.
- Stay Updated: Consistently keeping all WordPress plugins, themes, and core installations updated is essential for safeguarding against known vulnerabilities and ensuring optimal website performance.
Conclusion:
The identification and subsequent resolution of CVE-2024-1761 within the WP Chat App plugin serve as a pertinent reminder of the dynamic and ongoing nature of cybersecurity threats. WordPress site owners, particularly small business operators who might lack extensive IT resources, must remain vigilant and proactive in applying software updates. Such diligence is paramount in protecting digital assets and maintaining the trust and safety of website users.