CVE-2024-11198

Vulnerability

Overview

The GD Rating System plugin for WordPress, in all versions up to and including 3.6.1, is vulnerable to Stored Cross-Site Scripting (XSS). The flaw resides in the insufficient sanitization and output escaping of the extra_class parameter. This allows malicious input to be stored in the WordPress database and later rendered unsafely in the user's browser [1].

Exploitation

Path

Authenticated users with at least Contributor-level access can exploit this vulnerability. By injecting arbitrary web scripts into the extra_class field (e.g., via a crafted shortcode or block), the payload becomes part of a page's output. Any subsequent visitor viewing that page will then execute the injected script, as WordPress processes the stored data without proper escaping [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of a logged-in administrator's or visitor's session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as authentication cookies. The attacker does not need any special network position beyond the ability to create or edit posts using the plugin [1].

Mitigation

Users should immediately update GD Rating System to version 3.6.2 or later, which includes proper input sanitization and output escaping for the extra_class parameter. No workaround is available for the vulnerable parameter, so updating is strongly recommended [1].