CVE-2024-34375

Vulnerability

The WordPress plugin "Sheets To WP Table Live Sync" (later renamed FlexTable) versions from n/a through 3.7.0 suffer from a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly neutralize user input when syncing data from Google Sheets into WordPress tables. This allows malicious actors to inject arbitrary web scripts via the synced content, which are then stored and executed in the context of the admin area when users view the tables.

Exploitation

An attacker with at least Contributor-level access to the WordPress site can exploit this by crafting a Google Sheets entry containing malicious JavaScript. When the table syncs, the script is embedded in the page. When an administrator or other user views the table in the admin dashboard or on the front end, the script executes. No additional user interaction beyond viewing the affected page is required.

Impact

Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of users who view the synced table. This can lead to session hijacking, defacement, theft of sensitive information, or further compromise of the WordPress site by performing actions on behalf of the targeted administrator.

Mitigation

The vulnerability is fixed in version 3.8.0 and later. Users should update to the latest version (3.24.0) available from the WordPress plugin repository [1]. As a workaround, restrict Contributor-level access and ensure only trusted users can modify sheets. No official workaround is documented beyond updating.