CVE-2024-47367

Vulnerability

Overview The YITH WooCommerce Product Add-Ons plugin for WordPress versions up to and including 4.13.0 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into a page.

Exploitation

Details Exploitation requires user interaction: a privileged user (such as an administrator) must click a malicious link or visit a crafted page [1]. The attacker does not need authentication but relies on tricking a logged-in user into performing an action. The injected script executes in the context of the victim's browser, within the WordPress admin area.

Impact

Successful exploitation could allow an attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, or stealing session cookies [1]. This could lead to account takeover, defacement, or further compromise of the WordPress site.

Mitigation

The vulnerability is patched in version 4.13.1 [1]. Users are strongly advised to update immediately. If updating is not possible, Patchstack offers a mitigation rule to block attacks until the update is applied [1].