CVE-2024-38683

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the WordPress WooCommerce Report plugin, affecting versions from n/a through 1.4.5. The root cause is improper neutralization of user-supplied input during web page generation, as described in the CVE and the Patchstack advisory [1].

Exploitation requires a privileged user to perform an action such as clicking a specially crafted link, visiting a malicious page, or submitting a form. The attacker does not need authentication but must induce an authenticated user to interact with the crafted URL. The reflected nature means the malicious script is returned in the server's response and executed immediately in the user's browser [1].

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the WordPress site, which can then be used to perform actions like redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies. This can compromise the integrity and confidentiality of the affected site and its users [1].

Mitigation is available: users should update to version 1.5.0 or later, which patches the vulnerability. Patchstack also provides a virtual mitigation rule to block attacks until the update is applied [1].