CVE-2024-47379

Vulnerability

Overview The Web Directory Free WordPress plugin versions up to 1.7.3 contain a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during page generation. An attacker can inject arbitrary JavaScript or HTML into the response by crafting a malicious URL that includes the payload.

Exploitation

This vulnerability is classified as reflected XSS, requiring user interaction. An attacker must trick a privileged user (e.g., an administrator) into clicking a crafted link. When the victim visits the specially crafted URL, the injected script executes within the context of their browser session, potentially on the WordPress admin dashboard.

Impact

Successful exploitation allows attackers to inject malicious scripts that can perform actions such as redirecting visitors to malicious sites, displaying ads, or stealing sensitive information like session cookies. Given the plugin's widespread use, this vulnerability is expected to be targeted in mass-exploit campaigns [1].

Mitigation

The vendor has released version 1.7.4 to address the issue. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a virtual mitigation rule to block attacks until the patch is applied [1].