CVE-2024-43305

Vulnerability

Overview

The Custom Layouts – Post + Product grids made easy plugin for WordPress, versions 1.4.11 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw allows attackers to inject arbitrary JavaScript or HTML into the plugin's layout fields, which are subsequently stored and executed in the browser of any visitor viewing the compromised page [1].

Exploitation

Requirements

Exploitation requires a user with at least Contributor-level access to the WordPress instance. The attacker must have the ability to create or edit layouts using the plugin's interface. Once a malicious payload is submitted, no further user interaction is needed for execution — the injected script runs automatically when a page containing the malicious layout is loaded by any user, including unauthenticated visitors [1].

Impact

Successful exploitation enables an attacker to perform a wide range of malicious actions within the context of the victim's browser. These include redirecting visitors to phishing or malware sites, displaying intrusive advertisements, stealing session cookies, or performing actions on behalf of an authenticated administrator if they visit the compromised page. This can lead to complete site compromise if an admin is targeted [1].

Mitigation

Status

The vulnerability has been patched in version 1.4.12 of the plugin. Users are strongly advised to update immediately. For sites where an immediate update is not possible, disabling the plugin or restricting Contributor-level access may reduce risk. The Patchstack service has flagged this vulnerability for automated updates [1].