WP Chat App Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Image Attribute – CVE-2024-2513 |WordPress Plugin Vulnerability Report
Plugin Name: WP Chat App
Key Information:
- Software Type: Plugin
- Software Slug: wp-whatsapp
- Software Status: Active
- Software Author: ninjateam
- Software Downloads: 950,913
- Active Installs: 100,000
- Last Updated: April 1, 2024
- Patched Versions: 3.6.3
- Affected Versions: <= 3.6.2
Vulnerability Details:
- Name: WP Chat App <= 3.6.2
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Image Attribute
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2513
- CVSS Score: 6.4
- Publicly Published: March 29, 2024
- Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
- Description: The WP Chat App, a popular plugin designed to integrate WhatsApp chat functionality into WordPress sites, has been identified to have a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 3.6.2. The vulnerability originates from the 'imageAlt' block attribute, where insufficient input sanitization and output escaping allow attackers with at least contributor-level access to inject harmful scripts. These scripts can then be executed by any user visiting the affected page, posing significant security risks.
Summary:
The WP Chat App plugin, crucial for enhancing user engagement on WordPress sites through WhatsApp integration, contains a critical Stored XSS vulnerability in versions up to and including 3.6.2. This vulnerability, posing substantial security threats, has been effectively rectified in the patched version 3.6.3.
Detailed Overview:
Uncovered by cybersecurity researcher Ngô Thiên An from VNPT-VCI, this vulnerability underscores the importance of rigorous input validation within WordPress plugins. The ability for attackers to inject and execute arbitrary scripts compromises both the site's integrity and the safety of its users. The prompt issuance of a patched version by the developers, 3.6.3, mitigates this vulnerability, highlighting their commitment to user security.
Advice for Users:
- Immediate Action: Users of the WP Chat App plugin should immediately update to the patched version, 3.6.3, to secure their WordPress sites against potential exploitation.
- Check for Signs of Vulnerability: Site administrators are advised to review their sites for unusual content or behavior that might indicate prior exploitation of this vulnerability.
- Alternate Plugins: While the patched version addresses this vulnerability, users might consider evaluating alternative WhatsApp chat integration plugins for WordPress, especially if they have ongoing security concerns.
- Stay Updated: Keeping plugins updated to their latest versions is crucial for website security. Regular updates help protect against known vulnerabilities and ensure the optimal functioning of your WordPress site.
Conclusion:
The swift action taken by the developers of the WP Chat App plugin in addressing the Stored Cross-Site Scripting vulnerability serves as a valuable reminder of the critical role that timely updates play in maintaining website security. By updating to version 3.6.3 or later, users can reinforce the security of their WordPress installations, ensuring the safety and integrity of their digital presence in the face of evolving cyber threats.