CVE-2024-11457

Vulnerability

CVE-2024-11457 is a reflected cross-site scripting (XSS) vulnerability in the Feedpress Generator – External RSS Frontend Customizer plugin for WordPress, affecting all versions up to and including 1.2.1. The root cause is insufficient input sanitization and output escaping on the 'tab' parameter, which allows an attacker to inject arbitrary web scripts.[1]

Exploitation

An unauthenticated attacker can exploit this by crafting a malicious link containing a specially crafted 'tab' parameter and tricking a user into clicking it. No authentication is required, and the attack vector is reflected, meaning the payload is executed in the context of the victim's browser when they visit the crafted URL.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement of the WordPress admin interface, or redirection to malicious sites. The CVSS v3 base score is 6.1 (Medium), reflecting the need for user interaction.

Mitigation

The plugin has been closed as of December 6, 2024, and is no longer available for download from the WordPress plugin repository. Users are strongly advised to remove the plugin from their installations immediately. No patched version exists; the only mitigation is to uninstall the plugin.[1]