CVE-2024-10147 in Steel Plugin
Summary
by MITRE • 11/16/2024
The Steel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/26/2025
The vulnerability identified as CVE-2024-10147 affects the Steel plugin for WordPress, specifically targeting versions up to and including 1.3.0. This represents a critical security flaw that undermines the integrity of WordPress installations by allowing malicious actors with contributor-level privileges or higher to execute persistent cross-site scripting attacks. The vulnerability exists within the plugin's btn shortcode functionality, which processes user-supplied attributes without adequate sanitization measures.
The technical implementation of this vulnerability stems from insufficient input validation and output escaping mechanisms within the plugin's shortcode processing code. When users with contributor access or above create or modify content containing the btn shortcode, they can inject malicious JavaScript code through attribute parameters that are not properly sanitized before being rendered in web pages. This stored XSS vulnerability operates by persistently embedding malicious scripts within the plugin's shortcode handling logic, ensuring that the injected code executes every time affected pages are accessed by any user, regardless of their privileges.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent backdoor for attackers to manipulate user sessions, steal cookies, perform unauthorized actions, or redirect users to malicious sites. Since the vulnerability requires only contributor-level access, it represents a significant risk to WordPress sites where multiple users have editing privileges. The attack vector is particularly concerning because it leverages legitimate plugin functionality to deliver malicious payloads, making detection more challenging for security monitoring systems.
This vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in software applications. The issue also maps to several ATT&CK techniques including T1566.001 for Spearphishing Attachment and T1059.007 for Scripting, as attackers can use the stored XSS to execute malicious scripts and potentially establish persistent access. Organizations using the Steel plugin must prioritize immediate remediation through plugin updates or implement temporary mitigations such as restricting contributor privileges until the vulnerability is fully addressed.
The security implications of this vulnerability highlight the importance of proper input validation and output escaping practices in web application development. WordPress plugin developers should implement comprehensive sanitization routines for all user-supplied data, particularly when processing shortcode attributes and other dynamic content elements. The vulnerability demonstrates how seemingly benign plugin functionality can become a vector for sophisticated attacks when proper security controls are omitted from the development lifecycle. Organizations should conduct thorough security assessments of their WordPress environments to identify similar vulnerabilities in other plugins and themes, as this represents a common pattern in WordPress security issues where insufficient validation leads to critical exploitation opportunities.