CVE-2024-34801

Vulnerability

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Praison SEO WordPress plugin (seo-wordpress) versions up to and including 4.0.15. The plugin fails to properly neutralize user-supplied input during web page generation, enabling script injection into the DOM of a victim's browser. The flaw resides in the client-side handling of data, likely within JavaScript that processes URL fragments or other DOM sources without sanitization.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in a DOM-reachable parameter (e.g., a fragment identifier). The victim must click the crafted link while logged into the WordPress admin area or while the plugin's frontend scripts are active. No additional authentication or network position is required beyond luring the victim to the malicious link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication cookies or admin credentials. The attack is confined to the victim's browser session and does not directly compromise the server.

Mitigation

The vulnerability is fixed in version 5.0.6 of the Praison SEO plugin, as indicated by the plugin repository [1]. Users should update to the latest version immediately. No official workaround has been published; disabling the plugin until an update is applied is a temporary measure. The plugin is actively maintained, and the fix is available via the WordPress plugin directory.