CVE-2024-31111

Root

Cause CVE-2024-31111 is a stored cross-site scripting (XSS) vulnerability in WordPress core, affecting versions 6.0 through 6.5.4, 5.9 through 5.9.9, and their corresponding branches. The flaw lies in improper neutralization of input during web page generation, specifically within the template part system. This allows elevated users (e.g., administrators) to inject malicious scripts that persist on the server and execute in visitors' browsers [1].

Exploitation

Exploitation requires a privileged user—such as an editor or administrator—to create or modify a template part containing crafted input. The attacker must already have at least Author-level access. While no direct user interaction is needed beyond the initial malicious content creation, the injected script executes when any visitor loads a page that uses the compromised template part [1]. The attack vector is network-based, with low attack complexity and low privileges required.

Impact

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript into affected WordPress pages. This can lead to redirects, injected advertisements, data exfiltration, or further compromise of the site (e.g., privilege escalation or session hijacking) when visitors execute the payload [1]. The CVSS v3 base score of 6.5 reflects medium severity, with the primary impacts on integrity and availability (partial, low).

Mitigation

The vulnerability has been patched in WordPress version 6.5.5. Users on any affected branch should update immediately. There is no known evidence of mass exploitation reported in the advisory, but given the widespread use of WordPress, prompt patching is recommended. No workarounds are detailed; updating to the latest version is the only complete fix [1].