CVE-2024-3672 in BA Book Everything Plugin
Summary
by MITRE • 04/16/2024
The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'all-items' shortcode in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes such as 'classes'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/06/2025
The BA Book Everything plugin for WordPress presents a significant security vulnerability classified as stored cross-site scripting that affects all versions through 1.6.8. This flaw exists within the plugin's 'all-items' shortcode implementation where user-supplied attributes including the 'classes' parameter are not properly sanitized or escaped before being rendered in web pages. The vulnerability specifically targets authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment, making it particularly concerning given the relatively low privilege requirements needed to exploit this weakness.
The technical nature of this vulnerability stems from inadequate input validation processes within the plugin's shortcode handling mechanism. When administrators or contributors utilize the 'all-items' shortcode with user-provided attributes, the plugin fails to implement proper sanitization measures that would normally prevent malicious script injection. The 'classes' attribute serves as the primary vector for exploitation, as it allows attackers to inject arbitrary HTML and JavaScript code that gets stored within the WordPress database. This stored payload executes every time a user accesses a page containing the compromised shortcode, creating a persistent threat that can affect any visitor to the affected website.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. Since the vulnerability requires only contributor-level access, it represents a significant risk for WordPress sites where multiple users have editing privileges. Attackers can craft malicious shortcodes that redirect users to phishing sites, steal authentication cookies, or inject malicious advertisements into legitimate pages. The stored nature of the vulnerability means that once exploited, the malicious code remains persistent and will continue to affect users until the compromised content is manually removed or the plugin is updated.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the sanitization issues, though users should verify that the updated version properly resolves the XSS concerns. Security practitioners should implement additional protective measures including input validation at the web application firewall level, regular monitoring of user-generated content for suspicious shortcode usage, and comprehensive user privilege reviews to minimize the attack surface. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and follows ATT&CK technique T1566.001 related to spearphishing attachments that could be leveraged to establish the initial contributor-level access required for exploitation. Organizations should also consider implementing content security policies and regular security audits of WordPress plugins to prevent similar vulnerabilities from being introduced into their web applications.