CVE-2024-2783 in GamiPress Plugininfo

Summary

by MITRE • 04/10/2024

The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2025

The vulnerability identified as CVE-2024-2783 affects the GamiPress WordPress plugin, specifically targeting versions up to and including 6.9.0. This represents a critical security flaw that exploits the plugin's shortcode functionality to enable stored cross-site scripting attacks. The vulnerability arises from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating an exploitable condition that allows malicious actors to inject persistent script code into the application's database. The flaw is particularly concerning because it requires only contributor-level access or higher, making it accessible to users who already possess significant privileges within the WordPress environment. This means that attackers with relatively low-level permissions can leverage this vulnerability to compromise the entire WordPress installation.

The technical implementation of this vulnerability stems from the plugin's handling of user-supplied attributes within its shortcode system. When administrators or contributors create or modify content using GamiPress shortcodes, the plugin fails to properly sanitize the input parameters before storing them in the database. Additionally, the output escaping mechanisms are insufficient to prevent malicious scripts from being rendered when legitimate users access pages containing the injected content. This creates a persistent XSS vector where malicious code stored in the database executes every time affected pages are loaded, potentially affecting all users who access those pages. The vulnerability is classified under CWE-79, which specifically addresses Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 for Initial Access through Web Shell or Malicious Code Injection.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and privilege escalation within the WordPress environment. An attacker could potentially inject scripts that redirect users to malicious sites, steal cookies and session information, or even deploy additional malware. The persistent nature of stored XSS means that the malicious code remains active until manually removed from the database, providing attackers with sustained access to the compromised system. This vulnerability particularly affects WordPress sites that rely heavily on user-generated content and contributor-level permissions, as it demonstrates how even users with limited administrative rights can compromise the entire platform through carefully crafted attacks.

Mitigation strategies for CVE-2024-2783 should prioritize immediate plugin updates to versions that address the identified sanitization and escaping deficiencies. Organizations should implement strict input validation measures to ensure that all user-supplied data passed to shortcode attributes undergoes proper sanitization before being stored in the database. Additionally, output escaping mechanisms must be strengthened to prevent malicious scripts from executing when content is rendered to end users. Network monitoring and intrusion detection systems should be configured to detect suspicious shortcode usage patterns, and regular security audits of WordPress installations should include checks for vulnerable plugins. Implementing role-based access controls and limiting contributor privileges where possible can also reduce the attack surface, while maintaining comprehensive backup and recovery procedures ensures rapid restoration of compromised systems. The vulnerability highlights the critical importance of proper input validation and output escaping in web applications, particularly those handling user-generated content, as emphasized by security frameworks such as OWASP Top Ten and NIST cybersecurity guidelines.

Responsible

Wordfence

Reservation

03/21/2024

Disclosure

04/10/2024

Moderation

accepted

CPE

ready

EPSS

0.00363

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!