CVE-2024-47310

Vulnerability

Overview

The ARI Fancy Lightbox plugin for WordPress versions up to and including 1.3.17 suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This allows unauthenticated or low-privilege attackers to inject arbitrary web scripts that are executed when other users access the affected page [1].

Exploitation

Exploitation requires a privileged user to perform an action, such as clicking a malicious link or submitting a crafted form. Once triggered, the injected script becomes persistent and executes whenever a visitor loads the compromised page. User interaction is necessary for initial injection, but subsequent victims do not need to interact [1].

Impact

A successful attack can lead to malicious activities such as redirecting visitors to harmful sites, displaying unwanted advertisements, or other HTML payloads. The CVSS score of 6.5 indicates medium severity, though the impact is limited to the context of the affected site [1].

Mitigation

The vulnerability is patched in version 1.3.18. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates via Patchstack or consulting a hosting provider is recommended [1].