CVE-2024-37422

Vulnerability

Description

In the WordPress Progress Planner plugin versions 0.9.2 and earlier, user input is not properly sanitized before being stored, leading to a stored cross-site scripting (XSS) vulnerability [1][2]. This occurs due to improper neutralization of input during web page generation, allowing arbitrary script injection.

Exploitation

Exploitation requires a privileged user (such as an administrator) to perform an action, like clicking a malicious link or visiting a crafted page [1][2]. Once the script is injected, it is stored and executed when any visitor accesses the affected page.

Impact

An attacker can inject malicious scripts (e.g., redirects, advertisements, data theft) into the WordPress site [1][2]. This can lead to further compromise of users or the site itself, and the vulnerability is considered moderately dangerous and likely to be targeted in mass campaigns.

Mitigation

The vulnerability is patched in version 0.9.3 of the plugin [1][2]. Users are advised to update immediately. Patchstack has released mitigation rules to block attacks until the update is applied.