CVE-2024-35644

Vulnerability

Overview

The Preferred Languages plugin for WordPress versions 2.2.2 and earlier contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser when they interact with a crafted page or link.

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link or visiting a specially crafted page [1]. The attack can be initiated by a privileged user role, but successful execution depends on the victim performing an action. The vulnerability is DOM-based, meaning the payload is processed client-side rather than stored on the server.

Impact

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when visitors access the affected site [1]. This can lead to defacement, phishing, or further compromise of user sessions.

Mitigation

The vendor has released version 2.3.0 which resolves the vulnerability [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If unable to update, consult your hosting provider or web developer for assistance [1].