CVE-2024-43306

Vulnerability

Overview

The WP-Lister Lite for eBay plugin for WordPress, versions up to and including 3.6.0, is vulnerable to a stored cross-site scripting (XSS) attack. This improper neutralization of user-supplied input during web page generation allows attackers to inject arbitrary JavaScript or HTML into the admin panel [1].

Exploitation

Details

An authenticated attacker with at least author-level privileges can inject malicious scripts, which are then stored and executed in the context of other users accessing the affected admin pages. No special network position is required beyond normal WordPress access; however, successful exploitation relies on a privileged user (such as an admin) to perform an action like viewing a crafted page or clicking a malicious link [1].

Impact

Attackers exploiting this vulnerability can inject payloads that redirect visitors to malicious sites, display advertisements, or execute other arbitrary HTML/JavaScript in the browser of any user visiting the compromised admin interface. This can lead to session hijacking, defacement, or further compromise of the WordPress site [1].

Mitigation

The vulnerability has been patched in version 3.6.1. Users are strongly advised to update immediately. Those unable to update can implement a virtual patch via Patchstack's mitigation rule, which blocks attacks until an update is applied. The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild [1].