CVE-2024-47301

Vulnerability

Overview CVE-2024-47301 is a stored cross-site scripting (XSS) vulnerability in the Bit Form plugin for WordPress, affecting versions up to and including 2.13.10. The issue stems from improper neutralization of user-supplied input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code that gets stored on the server and later executed in the browsers of other users [1].

Exploitation

Details To exploit this vulnerability, an attacker must be authenticated with a low-privileged role, such as a subscriber. The injected payload is stored in form fields and triggers when a privileged user (e.g., an administrator) views the affected page, such as the form entries dashboard. This stored XSS does not require the victim to click a malicious link; simply viewing the compromised content executes the script [1].

Impact

The vulnerability enables attackers to perform a range of malicious actions, including redirecting visitors to malicious sites, injecting advertisements, stealing session cookies, or defacing the website. Given its stored nature and the potential for privilege escalation, this flaw is considered moderately dangerous and is expected to be leveraged in mass-exploitation campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has released version 2.13.11, which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a virtual mitigation rule to block attacks until the plugin can be updated [1].