WPFront Notification Bar Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class] – CVE-2024-0625 | WordPress Plugin Vulnerability Report

Plugin Name: WPFront Notification Bar

Key Information:

  • Software Type: Plugin
  • Software Slug: wpfront-notification-bar
  • Software Status: Active
  • Software Author: syammohanm
  • Software Downloads: 803,067
  • Active Installs: 50,000
  • Last Updated: January 24, 2024
  • Patched Versions: <= 3.3.2
  • Affected Versions: <= 3.3.2

Vulnerability Details:

  • Name: WPFront Notification Bar <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]
  • Title: Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-0625
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: January 24, 2024
  • Researcher: Sh
  • Description: The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Summary:

The WPFront Notification Bar plugin for WordPress has a vulnerability in versions up to and including 3.3.2 that allows authenticated attackers, with administrator-level access, to inject arbitrary web scripts that execute when a user accesses the page. This vulnerability has been patched in version 3.3.3.

Detailed Overview:

The core vulnerability lies in the wpfront-notification-bar-options[custom_class] parameter which fails to properly sanitize user input, allowing attackers to inject malicious JavaScript. On multi-site WordPress installations, as well as sites where the unfiltered_html capability has been revoked, this JavaScript will be stored and executed whenever a vulnerable page is loaded. This grants attackers significant control and exposes sites to further compromise. The vulnerability was addressed by the plugin developers in version 3.3.3 through improved input sanitization.

Advice for Users:

  1. Immediate Action: Update to version 3.3.3 as soon as possible.
  2. Check for Signs of Vulnerability: Review website pages and source code for unauthorized javascript. Also check for other indicators of compromise.
  3. Alternate Plugins: Consider alternate notification bar plugins like NotificationX or Smart Bar as a precaution.
  4. Stay Updated: Always keep plugins updated to avoid vulnerable versions.

Conclusion:

The quick response by WPFront Notification Bar developers to address this vulnerability is commendable. Users should promptly update to version 3.3.3 to protect their WordPress sites. As always, keeping plugins updated is the best defense against threats targeting known vulnerabilities.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpfront-notification-bar

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpfront-notification-bar/wpfront-notification-bar-332-authenticated-admin-stored-cross-site-scripting-via-wpfront-notification-bar-optionscustom-class

Detailed Report:

Keeping your website secure should be a top priority - but it's not always easy when vulnerabilities are discovered in popular plugins. That's exactly what happened with a recent cross-site scripting (XSS) vulnerability found in versions of the WPFront Notification Bar plugin. This could fully compromise your site if exploited.

The WPFront Notification Bar plugin is a popular way to display announcements, notices, and marketing messages to visitors through a bar at the top or bottom of pages. It has over 800,000 downloads and 50,000 active installs. Many small business owners rely on it to connect with customers.

Unfortunately, earlier versions of the plugin have a vulnerability that allows attackers to inject malicious javascript code if they gain admin access. Specifically, versions up to and including 3.3.2 are impacted. This XSS attack can give hackers full control of sites.

While the plugin authors have now patched the problem in version 3.3.3, sites running older versions remain at risk. Updating is crucial but often falls through the cracks when trying to manage all aspects of a small business.

If exploited, this vulnerability allows attackers to modify and redirect your pages, steal sensitive data entered by visitors, or insert code to fully compromise your site. Users may not realize their interactions with your business have been compromised.

To protect your website, update to the latest version of WPFront Notification Bar as soon as possible. Also check your site for any unauthorized code or scripts that may indicate past exploitation. Considering alternate plugins like NotificationX or Smart Bar provides an extra layer of security.

This is just the most recent vulnerability found in the plugin, with two others identified since July 2021. The frequency of discoveries highlights why staying on top of updates is so important. While tedious, consistently updating plugins mitigates the risk of known flaws being used to undermine your hard work building an online presence.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

WPFront Notification Bar Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class] – CVE-2024-0625 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment