WordPress Sites Targeted via Kirki and Burst Statistics Vulnerabilities

Recent threat intelligence indicates that attackers are actively targeting two popular WordPress components to gain unauthorized access to web environments. According to SecurityWeek, vulnerabilities in the Kirki Customizer Framework and the Burst Statistics plugin are being exploited in the wild. These flaws allow unauthenticated XSS, which serves as a primary vector for Privilege Escalation and full site compromise.

Technical Analysis: Stored XSS and Privilege Escalation

The most significant threat involves CVE-2024-11884, a critical flaw in the Kirki Customizer Framework. Kirki is widely used by theme developers to provide rich customization options. Because it is often bundled within premium and free themes, this vulnerability represents a significant Supply Chain Attack risk, as site owners may not realize they are running vulnerable code. The flaw allows an unauthenticated attacker to inject malicious scripts into the plugin’s settings. When an authenticated administrator visits the settings page, the script executes within their browser context, potentially allowing the attacker to create new administrative accounts or inject backdoors.

Simultaneously, the Burst Statistics plugin, which provides privacy-friendly analytics for WordPress, was found vulnerable to CVE-2024-11046. This unauthenticated stored XSS vulnerability occurs because the plugin fails to properly sanitize the ‘url’ parameter sent to its tracking endpoint. Attackers can provide a malicious payload in the URL field, which is then stored and executed when an administrator views the statistics dashboard. This TTP is particularly effective because it targets the very users who have the highest level of access to the system.

How to detect CVE-2024-11884 exploit attempts

For security professionals, understanding how to detect CVE-2024-11884 exploit attempts is essential for maintaining site integrity. Defenders should monitor their web server access logs for unusual POST requests to the admin-ajax.php endpoint or requests containing script tags in parameters associated with Kirki’s configuration. Furthermore, auditing the wp_options table for unexpected entries or modified values can provide an early IoC of a successful injection.

Similarly, regarding the Burst Statistics flaw, administrators should look for anomalous entries in the analytics database. If the tracked URLs contain <script> tags or obfuscated JavaScript, it is a high-confidence indicator of an attempted attack. Implementing a SIEM to alert on these patterns can significantly reduce the time to detection for a SOC team.

Mitigation and Defense-in-Depth

The primary remediation for these threats is to apply the relevant security patches immediately. For the Kirki Customizer Framework, users must update to version 5.1.0 or higher. Note that if the framework is bundled with a theme, the theme itself must be updated to a version that includes the patched framework. For Burst Statistics, users must follow the Burst Statistics 1.5.10 patch guidance and update the plugin to the latest version available on the WordPress repository.

Beyond patching, organizations should adopt a broader WordPress plugin privilege escalation mitigation strategy. This includes:

• Enforcing the Principle of Least Privilege by limiting the number of administrative accounts.
• Deploying a Web Application Firewall (WAF) to block common XSS payloads.
• Implementing a Content Security Policy (CSP) to prevent the execution of unauthorized inline scripts.
• Regularly scanning for CVE disclosures in the existing plugin stack.

While these flaws were not initially discovered as a Zero-Day, the speed at which threat actors have moved to exploit them after public disclosure highlights the necessity of rapid patch cycles. Unlike targeted Phishing campaigns, these exploits are often automated and mass-scanned, making any unpatched site a likely target.