CVE-2024-49228

Vulnerability

Overview CVE-2024-49228 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress bVerse Convert plugin, affecting versions up to 1.3.7.1. The issue stems from improper neutralization of user input during web page generation, allowing unvalidated data to be saved and later executed in the context of other users' browsers [1].

Exploitation

Conditions To exploit this vulnerability, an attacker must have contributor-level access or higher to the WordPress site. The attacker can inject malicious script payloads into fields processed by the plugin, which are then stored and displayed to other users. No additional user interaction is required for the stored script to execute when a victim visits the affected page [1].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the browsers of users who view the compromised content, potentially leading to session hijacking, data theft, defacement, or redirection to malicious sites. The CVSS score of 6.5 reflects the medium severity due to the need for authenticated access [1].

Mitigation

Users are strongly advised to update the bVerse Convert plugin to a version newer than 1.3.7.1. If an update is not immediately available, temporary measures such as disabling the plugin or applying Web Application Firewall (WAF) rules that block XSS payloads can help reduce risk [1].