CVE-2024-32696

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the QuantumCloud Infographic Maker – iList plugin for WordPress versions from n/a through 4.6.6. The plugin fails to properly neutralize user input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code that is stored and later executed in the context of an administrator's browser [1].

Exploitation

An attacker with contributor-level access or higher can inject malicious scripts via input fields such as infographic titles, list items, or other user-modifiable content. The injected payload is stored in the database and executed when an administrator views the affected page or list, such as the infographic editor or frontend display [1].

Impact

Successful exploitation leads to stored XSS, enabling attackers to execute arbitrary scripts in the context of the logged-in administrator's session. This can result in defacement, theft of session cookies, exposure of sensitive data, or further privilege escalation within the WordPress admin area [1].

Mitigation

The vulnerability is fixed in version 5.1.7 of the plugin, which is available for download from the WordPress plugin repository. Users should upgrade to this version or later. No other workarounds are documented [1].