CVE-2024-10108 in WPAdverts Plugin
Summary
by MITRE • 10/30/2024
The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/01/2025
The WPAdverts – Classifieds Plugin for WordPress represents a widely used advertising solution that enables users to create and manage classified advertisements on their websites. This plugin has been identified with a critical stored cross-site scripting vulnerability affecting all versions up to and including 2.1.6. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's adverts_add shortcode implementation, creating a persistent security flaw that can be exploited by unauthenticated attackers. The vulnerability specifically affects the plugin's handling of user-supplied data within the shortcode functionality, which is commonly used to display classified advertisements on WordPress sites.
The technical flaw manifests when the plugin fails to properly sanitize user input before processing it through the adverts_add shortcode. This insufficient sanitization allows attackers to inject malicious JavaScript code directly into the plugin's output rendering process. When legitimate users access pages containing the compromised shortcode, the injected scripts execute in their browsers within the context of the vulnerable website. The stored nature of this vulnerability means that the malicious code persists in the database and executes automatically whenever the affected page is loaded, making it particularly dangerous for widespread impact. This vulnerability aligns with CWE-79, which describes improper neutralization of input during web page generation, and represents a classic case of stored XSS where malicious input is permanently stored and then executed.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform a range of malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. Unauthenticated attackers can exploit this vulnerability without requiring any user authentication, making it particularly dangerous for high-traffic WordPress sites that rely on classified advertising functionality. The vulnerability affects not only the plugin's direct functionality but also the broader security posture of affected WordPress installations, as successful exploitation could provide attackers with persistent access to user sessions and potentially lead to complete site compromise. This threat is exacerbated by the fact that many WordPress sites may not regularly update their plugins, leaving them vulnerable to such attacks.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the stored XSS flaw, though administrators should verify that the updated versions properly implement proper input sanitization and output escaping mechanisms. Security best practices recommend implementing content security policies to limit script execution capabilities, monitoring for suspicious shortcode usage patterns, and conducting regular security audits of plugin installations. The vulnerability demonstrates the importance of proper input validation and output escaping as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1566, which covers phishing with malicious attachments and links. Organizations should also consider implementing web application firewalls to detect and block malicious payload delivery attempts, while maintaining regular vulnerability scanning procedures to identify similar issues across their WordPress ecosystem.