CVE-2024-4439: Unauthenticated Stored Cross-Site Scripting Vulnerability in WordPress Core

CVE-2024-4439

A significant security vulnerability has been identified in WordPress, the world’s most popular content management system, which could potentially allow attackers to take control of affected websites. The vulnerability, tracked as CVE-2024-4439 and rated at a severity of 7.2 on the Common Vulnerability Scoring System (CVSS), pertains to a stored Cross-Site Scripting (XSS) flaw in the WordPress Core.

CVE-2024-4439

The flaw specifically impacts the Avatar block within WordPress versions up to 6.5.2. This block, introduced in version 6.0, is utilized to display the avatars of post authors or comment authors depending on the context. The vulnerability arises due to insufficient output escaping of user display names, enabling both authenticated and unauthenticated attackers to inject harmful web scripts.

For authenticated users, particularly those with contributor-level access or higher, the exploit can lead to the injection of arbitrary web scripts into pages that will execute when a user views an affected page. Unauthenticated attackers, on the other hand, can exploit the vulnerability in pages where the comment block is present, displaying the comment author’s avatar.

The core issue stems from the improper order of operations in the escaping and formatting of user-supplied data. Here’s a glance at the affected code snippet:

$label = 'aria-label="' . sprintf( esc_attr__( '(%s author archive, opens in a new tab)' ), $author_name ) . '"';
$label = 'aria-label="' . sprintf( esc_attr__( '(%s website link, opens in a new tab)' ), $comment->comment_author ) . '"';

The CVE-2024-4439 vulnerability is introduced because esc_attr() is executed prior to sprintf(), meaning that the comment_author and author_name are not properly escaped prior to being included in the HTML output. This opens a door for attribute-based XSS payloads.

The implications of this vulnerability are severe, as XSS attacks can be used to add administrative users, alter theme or plugin code to introduce backdoors, and other malicious activities that could compromise the entire site.

WordPress responded swiftly with a security update in version 6.5.2 released on April 9, 2024, which addresses this vulnerability. This patch has also been backported to versions starting from 6.1. All WordPress site administrators must ensure that their sites are updated to version 6.5.2 or a later secure release.