CVE-2024-11386

Vulnerability

Overview

The GatorMail SmartForms plugin for WordPress versions up to and including 1.1.0 is vulnerable to Stored Cross-Site Scripting (XSS). The flaw exists in the plugin's [gatormailsmartform] shortcode, where user-supplied attributes are not properly sanitized or escaped before being output. This allows malicious HTML or JavaScript to be stored on the server and executed in the browsers of visitors who access the injected page [1].

Exploitation

Prerequisites

An attacker must have at least a WordPress contributor-level account to insert or modify the vulnerable shortcode. The attack does not require high privileges; any authenticated user who can add content (such as posts or pages) using the shortcode can inject arbitrary web scripts. The plugin's own documentation shows the shortcode accepts an id attribute, and this is the vector for the injection [1].

Impact

When a user visits a page containing an injected shortcode, the stored script executes in their browser. This can lead to session hijacking, credential theft, defacement, or other actions that the victim's browser allows. As the attack is stored, every subsequent visitor to the affected page is at risk.

Mitigation

Status

The vulnerability is fixed in version 1.1.1 of the plugin, which improved security and was tested against the latest WordPress version. Administrators are strongly advised to update immediately. No workaround is provided besides upgrading to the patched release [1].