CVE-2024-11901 in PowerBI Embed Reports Plugininfo

Summary

by MITRE • 12/12/2024

The PowerBI Embed Reports plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MO_API_POWER_BI' shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/18/2025

The vulnerability identified as CVE-2024-11901 affects the PowerBI Embed Reports plugin for WordPress, specifically targeting versions up to and including 1.1.7. This represents a critical security flaw that exploits the plugin's shortcode functionality to enable stored cross-site scripting attacks. The vulnerability exists within the 'MO_API_POWER_BI' shortcode implementation where user-supplied attributes are not properly sanitized or escaped before being rendered in web pages, creating a persistent vector for malicious code injection.

The technical flaw stems from inadequate input validation and output escaping mechanisms within the plugin's codebase. When authenticated users with contributor-level privileges or higher submit content containing malicious scripts through the shortcode attributes, these inputs are stored in the WordPress database without proper sanitization. This stored malicious content then executes whenever any user accesses pages containing the compromised shortcode, making it a persistent threat that affects all users who encounter the injected content. The vulnerability operates as a classic stored XSS attack where the malicious payload is not reflected in the HTTP response but is instead stored and later executed in the victim's browser.

The operational impact of this vulnerability is significant for WordPress sites utilizing the affected plugin, as it provides attackers with a means to execute arbitrary JavaScript code in the context of the victim's browser. This could enable attackers to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious sites, or even escalate privileges within the WordPress environment. The fact that the vulnerability requires only contributor-level access makes it particularly dangerous as it can be exploited by users who normally have limited administrative capabilities, potentially allowing for privilege escalation or data exfiltration attacks.

Organizations using this plugin should immediately implement mitigations including updating to the latest version of the plugin where the vulnerability has been patched, implementing strict input validation for shortcode attributes, and conducting thorough security reviews of all user-contributed content. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and can be categorized under ATT&CK technique T1566.001 for initial access through malicious content. Additionally, this vulnerability demonstrates the importance of proper input sanitization and output escaping practices as recommended in the OWASP Top Ten security guidelines, particularly in relation to preventing XSS attacks through proper validation and encoding of user-supplied data.

Responsible

Wordfence

Reservation

11/27/2024

Disclosure

12/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00467

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!