CVE-2024-34752

The PluginOps Landing Page Builder plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw exists in versions from n/a through 1.5.1.8, where the plugin fails to sanitize or escape certain parameters before including them in the page output, enabling injection of malicious HTML and JavaScript [1].

Exploitation requires user interaction: an attacker can craft a malicious link or URL containing the injected script and trick a privileged user (e.g., an administrator) into clicking it or submitting a crafted form [1]. No authentication is needed for the attacker beyond the ability to deliver the malicious link, making this suitable for mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

If successfully exploited, an attacker can execute arbitrary scripts in the context of the victim's browser session. This can lead to redirects, serving of advertisements, theft of session cookies, or other unauthorized actions that affect both the site administrator and regular visitors [1].

The vendor recommends updating to version 1.5.1.9 or later, which contains the fix [1]. Patchstack has also issued a mitigation rule to block attacks until the update is applied [1]. Organizations unable to update immediately should consult their hosting provider or web developer for alternative workarounds.