Relevanssi < 4.23.1 – Contributor+ Stored XSS | CVE 2024-9021

Description

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script, which entails account takeover backdoor

Proof of Concept

1. Log in from a user with Contributor rights+
2. Go to Posts And create a new Post
3. In the parameters of the post, click on the three dots from the top right.
4. In the General column, scroll down and include Advanced Custom Fields in the section.
5. In Custom Fields, enter the payload for Stored XSS in the Name parameter.
"><script></script><img src=x onerror=alert(/test XSS/)>
6. Enter Add title to save the post.
7. The vulnerability will be worked out by the administrator of the user, for this you need to go to settings.
8. In Settings, select the Relevanssi plugin.
9. Go to the plugin settings and enter the Indexing panel
10. In the Indexing panel, click on the 'List custom fields' button, which stores all WordPress meta fields, with the specified payload being processed