CVE-2024-29124

Vulnerability

The Advanced Access Manager (AAM) plugin for WordPress versions through 6.9.20 suffers from a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary JavaScript code that gets stored and executed when other users access the affected page.

Exploitation

An attacker with the ability to submit input that is processed by the plugin (e.g., via settings or access policies) can inject malicious script payloads. The attacker does not need elevated privileges if the vulnerable input field is accessible to lower-privileged users. The injected script is stored and later executed in the context of any user viewing the affected page, including administrators.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the victim. The impact is limited to the browser session of the victim, but can lead to privilege escalation if an administrator views the malicious content.

Mitigation

The vulnerability is fixed in version 7.1.1 of the Advanced Access Manager plugin [1]. Users should update to this version or later. No workarounds are provided in the available references. The plugin is actively maintained and the fix is available via the WordPress plugin repository.