CVE-2024-4095 in Collapse-O-Matic Plugin
Summary
by MITRE • 06/15/2024
The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' and 'expandsub' shortcode in all versions up to, and including, 1.8.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2025
The Collapse-O-Matic WordPress plugin presents a critical stored cross-site scripting vulnerability that affects versions through 1.8.5.7, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode processing functionality, specifically targeting the 'expand' and 'expandsub' shortcodes that are commonly used to create interactive content elements on WordPress sites. The flaw allows authenticated attackers who possess contributor-level privileges or higher to inject malicious scripts that persist in the WordPress database and execute whenever users access pages containing the vulnerable content, making it particularly dangerous in multi-user environments where contributors may have access to content creation features.
The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are not properly sanitized before being stored in the database. When these attributes contain malicious script code, the plugin fails to adequately escape or validate the input, allowing the scripts to be stored and subsequently executed in the context of other users' browsers. This represents a classic stored XSS attack vector where the malicious payload is injected once and then executed repeatedly whenever the affected content is rendered, potentially affecting all users who view the compromised pages. The vulnerability's impact is amplified by the fact that contributors typically have broad access to content creation features, making it easier for attackers to find and exploit this weakness within WordPress installations.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including credential theft, session hijacking, data exfiltration, and further exploitation of the compromised WordPress environment. Attackers could leverage the stored XSS to steal administrator credentials, modify content, or redirect users to malicious sites, potentially leading to complete compromise of the WordPress installation. The vulnerability's persistence means that once exploited, the malicious scripts will continue to execute for all users accessing affected pages until the malicious content is manually removed from the database, making it particularly challenging to contain and remediate. This type of vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws and represents a significant concern for WordPress plugin security.
Organizations should immediately update to the latest version of the Collapse-O-Matic plugin to address this vulnerability, as no patches were available for versions prior to the release that fixed the sanitization issues. System administrators should implement immediate monitoring of user activities and content changes, particularly for users with contributor roles, to detect potential exploitation attempts. The vulnerability's classification under ATT&CK technique T1566.001 highlights its potential for initial access through malicious content, while its persistence through stored XSS techniques aligns with T1566.002 for credential access. Additional mitigations include implementing role-based access controls to limit contributor capabilities, regular security audits of plugin installations, and ensuring comprehensive backup strategies that can quickly restore clean content in case of successful exploitation. Organizations should also consider implementing Content Security Policy headers as an additional defense-in-depth measure to limit the impact of any potential XSS exploitation attempts.