CVE-2024-43137

Vulnerability

The WappPress plugin for WordPress (versions up to 6.0.4) suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary JavaScript code that gets stored and executed when other users view the affected page. The vulnerability is present in the plugin's handling of certain input fields.

Exploitation

An attacker with contributor-level access or higher (or any role that can submit content that is processed by the plugin) can inject malicious script payloads into input fields that are not properly sanitized. The injected script will be stored and executed in the browsers of other users, including administrators, when they visit the affected page. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information (e.g., cookies, authentication tokens), or redirection to malicious sites. The impact is limited to the WordPress site's user base and does not directly affect the server.

Mitigation

The vendor has released version 8.0.1 (as per the WordPress plugin repository [1]), which likely addresses this vulnerability. Users should update to the latest version immediately. If updating is not possible, consider disabling the plugin or applying a web application firewall rule to block malicious input. No workaround details are provided in the available references.