CVE-2024-47643

A stored cross-site scripting (XSS) vulnerability has been discovered in the Include Fussball.de Widgets WordPress plugin, affecting versions up to and including 4.0.0. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing attackers with sufficient privileges to inject arbitrary HTML and JavaScript code that is permanently stored on the server. [1]

Exploitation requires a privileged user role to inject the payload via a vulnerable input field. Once stored, the malicious script executes automatically when any guest visits an affected page, without requiring further user interaction. The attack surface is typical of WordPress plugins; the injected content can include redirects, advertisements, or other HTML payloads that compromise the integrity of the website. [1]

An attacker who successfully exploits this vulnerability can achieve persistent code execution in the context of any visitor's browser session. This can lead to defacement, redirection to malicious sites, or theft of sensitive session data. The CVSS v3 base score of 6.5 reflects a medium severity, with the requirement for a privileged user to initiate the attack partially offset by the broad impact on all site visitors. [1]

The vendor has not released a patched version; users are advised to update the plugin immediately if a fix becomes available or to disable the plugin and seek alternative solutions. As the reference notes, such vulnerabilities are frequently used in mass-exploit campaigns against WordPress sites. [1]