CVE-2024-47306

The Secure Copy Content Protection and Content Locking WordPress plugin (versions up to and including 4.2.3) is vulnerable to Stored Cross-Site Scripting (XSS). The flaw originates from improper neutralization of user-supplied input during web page generation. The plugin fails to sanitize and escape certain fields before storing them in the database, allowing malicious markup to persist and execute in the context of other users' browsers [1].

Exploitation requires an authenticated attacker with contributor-level privileges or higher — roles that can normally submit content. The attacker crafts a payload containing JavaScript or HTML and submits it via a vulnerable form or field. Successful exploitation does not require a direct victim action beyond visiting the affected page, as the stored script loads automatically when the page is rendered for any user [1].

An attacker can leverage this stored XSS to perform actions such as redirecting visitors to malicious websites, injecting advertisements, stealing session cookies, or defacing the site. These attacks can target a wide range of users, including site administrators, potentially leading to privilege escalation or full site compromise [1].

Mitigation

The vulnerability has been fixed in version 4.2.4 of the plugin. Users are strongly advised to update immediately. Plugin developers and site administrators should also consider using a Web Application Firewall (WAF) or a security plugin like Patchstack to block attack patterns until the update is applied [1].