CVE-2024-43320

The vulnerability is a stored cross-site scripting (XSS) issue in the Livemesh Addons for WPBakery Page Builder WordPress plugin, versions up to 3.9. It stems from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript into pages [1].

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or submitting a crafted form. This user interaction is necessary for the attack to succeed, but once triggered, the injected script is stored and executed when other users visit the affected page [1].

The impact includes the ability to inject malicious scripts that can redirect visitors, display advertisements, or deliver other HTML payloads. This could be used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their size or popularity [1].

As a mitigation, the vendor has released version 3.9.1, which resolves the vulnerability. Users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. While the CVSS score is 6.5 (Medium), the advisory notes that the severity is considered low and exploitation is unlikely, but proactive updating is recommended [1].