Executive Summary

CVE-2024-3987 is a newly identified vulnerability in the WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress. This vulnerability, classified as a Stored Cross-Site Scripting (XSS) issue, allows authenticated attackers with author-level access and above to inject arbitrary web scripts via image alt text. These scripts execute whenever a user accesses an injected page, potentially leading to malicious activities such as session hijacking, defacement, or redirection to malicious sites. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to websites across various sectors globally.

Technical Information

CVE-2024-3987 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress. The vulnerability is present in all versions up to and including 2.8.4.2. The flaw arises due to insufficient input sanitization and output escaping in the plugin, allowing authenticated users with author-level access or higher to inject malicious scripts into the image alt text. These scripts execute when other users access the affected pages, potentially leading to various malicious activities.

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4, indicating a medium severity level. The vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, which means it requires low attack complexity, low privileges, and user interaction, but has a significant impact on confidentiality and integrity.

The vulnerability was published on June 6, 2024, and last modified on June 7, 2024. The primary risk associated with this vulnerability is the potential for attackers to execute arbitrary scripts in the context of the affected site, leading to session hijacking, defacement, or redirection to malicious sites.

Exploitation in the Wild

As of the latest information, there have been no widespread reports of CVE-2024-3987 being actively exploited in the wild. However, given the nature of XSS vulnerabilities, it is crucial to address this issue promptly to prevent potential exploitation. The lack of active exploitation reports should not lead to complacency, as attackers may still be developing exploits or targeting specific high-value sites.

APT Groups using this vulnerability

While there are no confirmed reports of Advanced Persistent Threat (APT) groups exploiting CVE-2024-3987, it is important to note that APT groups often target vulnerabilities in widely used platforms like WordPress. Sectors such as finance, healthcare, and government in countries like the United States, the United Kingdom, and Australia are particularly at risk. Organizations in these sectors should be especially vigilant and proactive in addressing this vulnerability.

Affected Product Versions

The WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress is affected in all versions up to and including 2.8.4.2. Users of this plugin should immediately check their version and update to the latest version where this vulnerability has been patched.

Workaround and Mitigation

To mitigate the risk posed by CVE-2024-3987, it is essential to take the following steps:

Update the Plugin: Ensure that the WP Mobile Menu plugin is updated to the latest version where this vulnerability is patched. Regularly check for updates and apply them promptly.

Input Sanitization and Output Escaping: Developers should implement proper input sanitization and output escaping to prevent XSS vulnerabilities. This involves validating and sanitizing user inputs and ensuring that outputs are properly escaped before being rendered in the browser.

User Access Control: Limit the number of users with author-level access or higher to minimize the risk of exploitation. Implement the principle of least privilege to ensure that users only have the access necessary for their roles.

Security Plugins: Utilize security plugins like Wordfence (https://www.wordfence.com) to monitor and protect against potential XSS attacks. These plugins can provide additional layers of security and alert administrators to suspicious activities.

Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security issues. This proactive approach can help in early detection and mitigation of vulnerabilities.

References

For more detailed information and guidance on CVE-2024-3987, please refer to the following resources:

NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-3987

Wordfence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/7bcbc6b6-ed05-4709-bf05-214418798339?source=cve

WordPress Plugin Trac: https://plugins.trac.wordpress.org/changeset/3097563/mobile-menu/trunk/includes/class-wp-mobile-menu-core.php

GitHub Advisory: https://github.com/advisories/GHSA-9grv-rp7x-5jp8

Debricked Database: https://debricked.com/vulnerability-database/vulnerability/CVE-2024-3987

Rescana is here for you

At Rescana, we understand the critical importance of maintaining robust cybersecurity defenses. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2024-3987. We provide comprehensive threat intelligence and proactive security measures to ensure your organization remains protected against emerging threats. If you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your digital assets.