CVE-2024-47382

Vulnerability

Overview The WordPress Page-list plugin version 5.6 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows attackers with contributor-level access or higher to inject arbitrary HTML and JavaScript into pages that use the plugin's shortcode functionality [1].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must have at least contributor-level privileges in the WordPress admin panel. The attack requires a privileged user to perform an action such as clicking a crafted link or submitting a form, making it a stored XSS that triggers when other users or visitors view the affected page [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads into the website. These scripts execute when guests or other users visit the compromised page, potentially leading to data theft, defacement, or further site compromise [1].

Mitigation

The vendor has released version 5.7 which resolves this vulnerability. Users are strongly urged to update the Page-list plugin immediately. For those unable to update, consulting a hosting provider or web developer is recommended. The issue is not actively exploited but poses a risk due to its stored XSS nature [1].