CVE-2024-47339

Vulnerability

Overview The WP Mail Catcher WordPress plugin versions up to and including 2.1.9 suffer from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw arises when the plugin fails to sanitize or escape data before including it in output, enabling injection of arbitrary HTML and JavaScript code [1].

Exploitation

Details The vulnerability is classified as reflected XSS, meaning an attacker must trick a victim into clicking a crafted link or visiting a maliciously prepared page. No authentication is required, so any website visitor can be targeted. The attack surface is the plugin's administrative or public-facing pages that reflect input without proper encoding, allowing script execution in the context of the victim's browser session [1].

Impact

Successful exploitation could allow an attacker to inject malicious scripts—such as redirects, advertisements, or other HTML payloads—which execute when the victim loads the affected page. This can lead to session hijacking, credential theft, defacement, or further compromise of the WordPress site. The vulnerability is rated moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has released version 2.1.10 which resolves the issue. Users are strongly advised to update immediately. For sites unable to update immediately, Patchstack has issued a mitigation rule to block attacks until a patched version can be applied [1].