CVE-2024-38767

Vulnerability

Overview CVE-2024-38767 is a stored cross-site scripting (XSS) vulnerability found in the BSK PDF Manager plugin for WordPress, developed by BannerSky.Com. The vulnerability stems from improper neutralization of user-provided input during web page generation, allowing arbitrary JavaScript or HTML to be stored and later executed in the context of other users' browsers [1].

Exploitation

Details Exploitation requires a privileged user (such as an administrator) to perform an action, like clicking a crafted link or submitting a malicious form. Once triggered, the injected script is stored on the server and will be executed when other users, including regular visitors, access the affected page. The attack does not require direct user interaction beyond the initial privileged action, and the attacker can be relatively unprivileged [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, which may include redirects, advertisements, or other HTML payloads. This could lead to defacement, data theft, or further compromise of the website and its visitors [1].

Mitigation

The vulnerability affects BSK PDF Manager versions from n/a through 3.6. The vendor has released version 3.6.1, which resolves the issue. Users are strongly advised to update to this patched version. Patchstack also offers a mitigation rule for users who cannot update immediately [1].