CVE-2024-3473

The Header Footer Code Manager Pro plugin for WordPress, in all versions up to and including 1.0.16, contains a reflected cross-site scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping of the message parameter. This flaw occurs when user-supplied data is reflected back to the browser without proper neutralization.

Exploitation requires no authentication and is performed by tricking a user into clicking a crafted link. The attacker can inject arbitrary web scripts into the resulting page, which then executes in the victim's browser context. The attack surface is the same as any WordPress plugin that accepts and reflects GET parameters without escaping.

Successful exploitation allows an attacker to execute JavaScript in the context of the logged-in site administrator or other user. This can lead to session hijacking, credential theft, or defacement of the WordPress dashboard. The vulnerability is rated as Medium severity with a CVSS v3 score of 6.1 [1].

A patched version of the plugin is likely available; users should update to the latest release as indicated in the official product roadmap [1]. No workarounds have been documented, but sanitizing the message parameter with appropriate escaping functions would mitigate the issue.