Sploit.io - Search

Product: T(-) Countdown, version: >= *, <= 2.4.8

CVE-2024-9884

Severity: MEDIUM

Description: The T(-) Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tminus' shortcode in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Score: 6.4

Priority

B

CISA Data

EPSS Data

  • EPSS: 0.000530000
  • Percentile: 0.238290000
  • Date: 2025-01-20

ExploitDB

No data available.

HackerOne Data

  • Rank: 7457
  • Reports submitted count: 0
  • Unknown: 0
  • None: 0
  • Low: 0
  • Medium: 0
  • High: 0
  • Critical: 0

GitHub PoCs

    Nuclei Templates

    No data available.

    PacketStorm

    View PacketStorm Entry

    VulnCheck Data

    Affected Products:

    • twinpictures T(-) Countdown - Versions: *

    References:

    Risk Assessment

    1. Risk Assessment
    The CVE-2024-9884 vulnerability in the T(-) Countdown plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue with a CVSS base score of 6.4 (MEDIUM). This vulnerability arises due to insufficient input sanitization and output escaping in the plugin's 'tminus' shortcode, affecting all versions up to and including 2.4.8. The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or session hijacking.

    The likelihood of exploitation is moderate, as it requires an attacker to have authenticated access to the WordPress site. However, the ease of exploitation is high once such access is obtained, as the attack vector is straightforward. The primary impacts are on confidentiality and integrity, as attackers can steal sensitive information or manipulate website content. Availability is not directly affected, but the reputational damage and potential loss of user trust could have significant business consequences.

    2. Potential Attack Scenarios
    An attacker with contributor-level access to a WordPress site using the vulnerable T(-) Countdown plugin could exploit this vulnerability by injecting malicious JavaScript code into a page via the 'tminus' shortcode. For example, the attacker could create or edit a post containing the shortcode with malicious attributes. When an administrator or any other user views the compromised page, the injected script executes in their browser. This script could steal session cookies, redirect users to malicious sites, or deface the website.

    The attack process involves the following steps:
    - The attacker gains contributor-level access to the WordPress site, either through compromised credentials or social engineering.
    - The attacker creates or edits a post, embedding the 'tminus' shortcode with malicious attributes containing JavaScript code.
    - The malicious script is stored in the database and executed whenever a user accesses the compromised page.
    - The script performs unauthorized actions, such as exfiltrating sensitive data or hijacking user sessions.

    The potential outcomes include data breaches, unauthorized access to sensitive information, and damage to the organization's reputation.

    3. Mitigation Recommendations
    To mitigate this vulnerability, immediate action is required. The following steps are recommended:
    - Update the T(-) Countdown plugin to the latest version if a patch is available. If no patch is available, consider disabling or removing the plugin until a fix is released.
    - Implement input validation and output escaping for all user-supplied data to prevent similar vulnerabilities in custom code.
    - Restrict contributor-level access to trusted users only and enforce strong password policies to reduce the risk of credential compromise.
    - Regularly monitor and audit user activity on the WordPress site to detect suspicious behavior.
    - Use a web application firewall (WAF) to block malicious payloads and reduce the risk of exploitation.

    For further reference, consult the following resources:
    - Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/23a0dcdf-e98f-4e24-9900-49ca522b8038?source=cve
    - Plugin Source Code: https://plugins.trac.wordpress.org/browser/t-countdown/trunk/t-countdown.php#L810
    - Plugin Homepage: https://wordpress.org/plugins/t-countdown/

    4. Executive Summary
    CVE-2024-9884 is a medium-severity vulnerability in the T(-) Countdown plugin for WordPress, allowing authenticated attackers to inject malicious scripts into website pages. This could lead to data theft, unauthorized actions, and reputational damage. While exploitation requires contributor-level access, the potential impact on confidentiality and integrity is significant. Immediate action is recommended, including updating the plugin, restricting access, and implementing additional security measures. Addressing this vulnerability is critical to protecting sensitive data and maintaining user trust.