CVE-2024-47297

Vulnerability

Description CVE-2024-47297 is a reflected cross-site scripting (XSS) vulnerability in the WordPress CP Polls plugin (cp-polls) versions up to and including 1.0.74. The root cause is improper neutralization of user-supplied input during page generation, allowing an attacker to reflect arbitrary JavaScript or HTML in the server's response [1].

Exploitation

Conditions To exploit the vulnerability, an attacker must craft a malicious link that includes a payload in a vulnerable parameter. The target user (typically a site administrator or editor) must then click that link while logged into the WordPress backend. User interaction is required, but the attacker does not need any prior authentication or elevated privileges on the target site [1].

Impact

Successful exploitation triggers the injected script in the context of the logged-in user's browser session. This can result in session hijacking, forced redirections to malicious websites, defacement, or other unauthorized actions. The vulnerability is considered moderately dangerous and is expected to be incorporated into mass-exploit campaigns targeting thousands of WordPress sites regardless of size [1].

Mitigation

A patched version, 1.0.75, has been released. Users are strongly advised to update immediately. If an immediate update is not possible, hosting providers or WordPress administrators should apply virtual patching or web application firewall rules that block the vulnerable parameter. The official advisory provides a mitigation rule via Patchstack [1].