CVE-2024-38697

Vulnerability

Overview

The Goftino WordPress plugin, versions 1.6 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an authenticated user with at least editor-level privileges to inject arbitrary HTML and JavaScript payloads that are stored on the server and executed when other users (including site visitors) view the affected page [1].

Exploitation

Details

An attacker must first obtain a WordPress user account with the 'edit_posts' capability or higher, such as an Editor or Administrator [1]. Once authenticated, they can inject malicious code through input fields that are not properly sanitized by the plugin. Successful exploitation requires a privileged user to perform an action — such as clicking a malicious link or visiting a crafted page — which then triggers the payload [1]. The vulnerability is listed on Patchstack's database and is considered likely to be used in mass-exploit campaigns targeting thousands of websites regardless of size [1].

Impact

If exploited, the attacker can redirect visitors to malicious sites, inject advertising, deface the website, or steal session cookies and other sensitive data [1]. The CVSS v3 score is 6.5 (Medium), and user interaction is required for the initial trigger, making it suitable for watering-hole attacks or phishing campaigns against the site's administrative users [1].

Mitigation

The vulnerability is resolved in Goftino version 1.7 [1]. Users should immediately update the plugin to the latest version. Site administrators who cannot update immediately can apply a virtual patch via Patchstack's mitigation rule, which blocks exploitation attempts until the plugin is updated [1].