CVE-2024-47365

The Automatically Hierarchic Categories in Menu WordPress plugin (versions 2.0.5 and earlier) suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, enabling the injection of malicious scripts into pages that are later served to site visitors [1].

Exploitation requires an authenticated user with the necessary privileges (likely editor or admin) to submit crafted input via the plugin's settings or menu management interface. An attacker can trigger the stored script by having a privileged user perform an action such as clicking a malicious link or visiting a specially crafted page [1].

Successful exploitation allows an attacker to inject arbitrary JavaScript, HTML, or other payloads. This can be used to redirect visitors to malicious websites, display unwanted advertisements, or steal session cookies and perform actions on behalf of the victim. The CVSS score of 6.5 indicates a medium severity [1].

The vendor has released version 2.0.6 which fixes this vulnerability. Users are strongly advised to update to the latest version or enable auto-updates for vulnerable plugins. As a workaround, ensure that only trusted users have admin-level access and avoid clicking suspicious links [1].