CVE-2024-49307

Vulnerability

Overview

The WordPress Admin Management Xtended plugin versions 2.4.6 and earlier contain a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This allows malicious actors to inject arbitrary HTML and JavaScript into the plugin's output, which is later executed in the browsers of visitors.

Exploitation

Details

Exploitation requires a WordPress user role with at least Contributor-level privileges to submit crafted input. The vulnerability is triggered when a privileged user (e.g., admin) performs an action such as clicking a malicious link or visiting a specially crafted page, leading to the stored script being executed [1]. No authentication bypass or special network access is required beyond standard WordPress administration capabilities.

Impact

If successfully exploited, an attacker can inject malicious scripts that execute in the context of any visitor's browser. Common payloads include redirects to malicious sites, advertisements, or other HTML payloads [1]. This can lead to defacement of the site, loss of visitor trust, and potential credential harvesting if combined with social engineering.

Mitigation

The vendor released version 2.4.7 to fix the issue. Users are strongly advised to update to this version immediately, or enable auto-updates for vulnerable plugins if using Patchstack [1]. No workarounds have been published, and the vulnerability is considered low severity with low likelihood of exploitation, but updates are recommended as a precaution.