CVE-2024-43347

Vulnerability

Description The Button contact VR plugin for WordPress (versions up to 4.7.3) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected pages.

Exploitation

Details Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link or submitting a crafted form. Once triggered, the malicious script is stored within the plugin's settings or content, affecting all subsequent visitors. No authentication bypass is needed; the attacker must lure an authenticated admin into the action.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to redirection to malicious sites, defacement, advertisement injection, or theft of sensitive information like cookies or session tokens. The CVSS v3 base score is 5.9 (Medium), indicating moderate risk.

Mitigation

The vendor has addressed the vulnerability in version 4.7.8. All users are strongly advised to update to this latest version immediately. If immediate update is not possible, consider employing a web application firewall or temporarily disabling the plugin until the update can be applied [1].