CVE-2024-47320

Vulnerability

Overview

CVE-2024-47320 is a stored Cross-Site Scripting (XSS) vulnerability in the WS Form LITE plugin for WordPress, affecting versions up to and including 1.9.238. The issue arises from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary JavaScript or HTML into form submissions that are later rendered on the site [1].

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or submitting a crafted form. Once the malicious input is stored, it executes in the context of any visitor viewing the affected page, including other administrators. The vulnerability does not require direct network access to the server; it can be triggered through the plugin's form interface [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can redirect users, display advertisements, steal session cookies, or perform other actions within the victim's browser. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Mitigation

The vendor has released version 1.9.244, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the patch is applied [1].