CVE-2024-1041 in WP Radio Plugin
Summary
by MITRE • 04/10/2024
The WP Radio – Worldwide Online Radio Stations Directory for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping as well as insufficient access control on the settings. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/07/2025
The vulnerability identified as CVE-2024-1041 affects the WP Radio plugin for WordPress, specifically targeting versions up to and including 3.1.9. This plugin serves as a directory for online radio stations and is widely used within the WordPress ecosystem. The security flaw manifests as a stored cross-site scripting vulnerability that exploits weaknesses in input validation and output escaping mechanisms. The vulnerability's impact is amplified by insufficient access control measures on the plugin's settings interface, creating a pathway for malicious actors to execute persistent code injections.
The technical exploitation of this vulnerability occurs through the plugin's settings management functionality where user inputs are not properly sanitized before being stored in the database. When authenticated attackers with subscriber privileges or higher access the affected plugin settings, they can inject malicious scripts that persistently execute whenever any user visits pages containing the injected content. This stored nature of the vulnerability means that the malicious code remains embedded within the system until manually removed, creating a persistent threat vector that can affect multiple users over time. The vulnerability directly maps to CWE-79, which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping, and represents a classic case of insecure data handling in web applications.
The operational impact of CVE-2024-1041 extends beyond simple script execution as it creates a potential attack surface for more sophisticated exploitation techniques. Once attackers successfully inject malicious scripts, they can leverage this foothold to perform various malicious activities including credential theft, session hijacking, or redirecting users to malicious websites. The vulnerability's accessibility through subscriber-level privileges means that even relatively low-privileged users within a WordPress environment can potentially compromise the entire system. Attackers can craft payloads that appear legitimate within the context of the radio directory plugin, making detection more challenging and increasing the likelihood of successful exploitation.
Security mitigation strategies for this vulnerability should focus on immediate patching of the WP Radio plugin to versions that address the input sanitization and access control deficiencies. Organizations should implement comprehensive access control policies that limit the privileges of users with subscriber roles, particularly when dealing with plugin settings that can affect system-wide functionality. Input validation mechanisms must be strengthened to properly sanitize all user-provided data before storage, while output escaping should be enforced to prevent script execution in rendered pages. The vulnerability also highlights the importance of the principle of least privilege and proper access control implementation, which aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through web applications. Regular security audits and monitoring of plugin settings changes should be implemented to detect unauthorized modifications that could indicate exploitation attempts.