CVE-2024-8914:
Unauthenticated stored Cross-Site Scripting (XSS) vulnerability in the Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam WordPress plugin, affected up to and including version 2.0.1, caused by improper handling of HTML sanitization (wp_kses_allowed_html) that allows onclick attributes without sufficient restriction.
Score
A numerical rating that indicates how dangerous this vulnerability is.
5.5Medium- Published Date:Sep 25, 2024
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.6
- EPSS Percentile:70%
Exploitability
- Score:1.8
- Attack Vector:LOCAL
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:REQUIRED
- Scope:UNCHANGED
Impact
- Score:3.6
- Confidentiality Impact:HIGH
- Integrity Impact:NONE
- Availability Impact:NONE
Description Preview
Unauthenticated stored Cross-Site Scripting (XSS) vulnerability in the Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam WordPress plugin, affected up to and including version 2.0.1, caused by improper handling of HTML sanitization (wp_kses_allowed_html) that allows onclick attributes without sufficient restriction.
Overview
This vulnerability is a stored XSS in a WordPress plugin used for payment-related QR code functionality. Due to improper sanitization via wp_kses_allowed_html, attackers can inject malicious scripts that persist in the site’s pages and execute in the context of subsequent user visits, without needing user credentials. The issue affects all versions up to 2.0.1 and is exploitable by unauthenticated actors, potentially affecting multiple site visitors and leading to data exposure or other user-impacting actions.
Remediation
- Upgrade or replace: Update the plugin to a version that contains the fix or remove the plugin if no patched release is available. Verify the fix in the plugin’s changelog and repository.
- If patching the code directly: Tighten input/output sanitization by removing permissive attributes (e.g., disallow onclick and other event handler attributes) from wp_kses_allowed_html usage; ensure all user-supplied content is properly escaped (e.g., esc_html, esc_js) before rendering.
- Implement context-appropriate escaping: Review all outputs from user-supplied content and apply strict escaping and validation based on where the content is rendered.
- harden defense-in-depth: enable a Content Security Policy (CSP) that restricts inline scripts and event handlers, and consider a Web Application Firewall (WAF) rule to block suspicious XSS payloads.
- Operational hygiene: back up site, test the patch in a staging environment, and perform functional/security testing after applying remediation.
- Monitoring: enable monitoring for unusual script injections and review site security logs for XSS indicators; consider additional WordPress hardening measures.
References
- - Wordfence Threat Intelligence Vulnerabilities - CVE-2024-8914: https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef7c48b-e8f2-40bd-aa48-191059e15453?source=cve
- - WordPress.org plugins page (developers section) for the affected plugin: https://wordpress.org/plugins/bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang/#developers
- - WordPress Trac: bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang trunk/inc/functions.php#L184: https://plugins.trac.wordpress.org/browser/bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang/trunk/inc/functions.php#L184
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
