CVE-2024-2401

The Admin Page Spider plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.31. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings, allowing unvalidated data to be stored and later executed in the context of an administrator's browser [1].

Exploitation requires an authenticated attacker with administrator-level permissions. However, the vulnerability only affects multi-site installations or single-site installations where the unfiltered_html capability has been disabled for administrators. Under these conditions, an attacker can inject arbitrary web scripts via the plugin's settings pages [1].

When a user—typically another administrator—accesses an injected page, the stored script executes. This can lead to session hijacking, malicious actions performed on behalf of the victim, or further compromise of the WordPress site. The impact is limited to the administrative scope due to the required privileges [1].

As of the publication date, the vulnerability has not been patched in the 3.31 version. Users are advised to disable the plugin or ensure unfiltered_html is enabled for administrators on single-site installations, and to monitor for updates from the plugin author [1].