CVE-2024-47644

Vulnerability

Overview

Copyscape Premium versions up to and including 1.3.9 contain a stored cross-site scripting (XSS) vulnerability caused by improper neutralization of input during web page generation [1]. This issue allows an attacker to inject malicious scripts that are stored on the server and later executed in the browsers of users accessing the affected pages.

Exploitation

Exploitation requires a privileged user to perform an action—such as clicking a malicious link or submitting a crafted form—due to the Cross-Site Request Forgery (CSRF) vector that enables the injection [1]. The vulnerability is partially patched in versions 1.3.7 and later, but still present in the affected range [1].

Impact

An authenticated attacker with lower privileges can force higher-privileged users to execute unwanted actions under their current session, leading to data theft, defacement, or further compromise of the WordPress site [1]. The potential for mass exploitation campaigns is noted, as similar vulnerabilities are frequently targeted [1].

Mitigation

Users should update to version 1.4.0 or later to fully resolve the vulnerability [1]. Patchstack provides a mitigation rule to block attacks until the update is applied [1].