CVE-2024-31928

The Top Bar plugin for WordPress versions 3.0.5 and below suffers from a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject malicious scripts that are stored on the server and executed when other users view affected pages.

To exploit this vulnerability, an attacker must have authenticated access to the WordPress site with at least contributor-level privileges. The attacker can then inject arbitrary HTML and JavaScript payloads into the top bar settings, which will be triggered when administrators or visitors access pages where the top bar is displayed [1]. Notably, successful exploitation requires a privileged user to interact with the crafted content, such as by clicking a link or visiting a page.

If exploited, the attacker can execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, redirection to malicious sites, injection of advertisements, or defacement of the website [1]. These attacks can be part of mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity.

The vulnerability has been addressed in version 3.0.6 of the Top Bar plugin. Users are strongly advised to update to this version immediately. For those unable to update, Patchstack users can enable auto-update for vulnerable plugins [1].