CVE-2024-43246

Vulnerability

Description The WHMpress WordPress plugin, up to version 6.2-revision-5, is affected by a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This type of flaw occurs when the plugin fails to sanitize or encode user-supplied data before including it in HTTP responses, allowing arbitrary script injection.

Exploitation

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a crafted malicious link or submitting a specially prepared form [1]. The attack is reflected, meaning the payload is delivered via the current HTTP request and executed immediately in the browser of the victim who interacts with the link. No authentication is required from the attacker, but user interaction is necessary.

Impact

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript code into the victim's browser session within the context of the affected WordPress site [1]. This can be used to perform actions such as redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or other client-side attacks that compromise the integrity and confidentiality of the site and its users.

Mitigation

The vulnerability is known to be exploited (KEV) and is part of mass-exploit campaigns [1]. Users are strongly advised to update the WHMpress plugin immediately if a patched version is available. If an update cannot be applied immediately, temporary mitigation rules (e.g., from Patchstack) can block attacks until an official fix is deployed [1].