CVE-2024-49316

The Akismet htaccess writer plugin for WordPress versions through 1.0.1 contains a reflected Cross-site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw enables an attacker to inject arbitrary web scripts or HTML into a page, which will be executed in the browser of a user who visits the crafted URL.

Exploitation requires user interaction, such as clicking a malicious link or visiting a specially crafted page, but does not require authentication [1]. The attacker does not need any special privileges, only the ability to trick a user into following the link. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites.

Successful exploitation allows an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to redirects, advertisements, or other HTML payloads [1]. The CVSS score is 7.1 (High), reflecting the moderate danger and likelihood of exploitation.

As of the publication date, the vendor has not issued a patch, but Patchstack has released a mitigation rule to block attacks until an official fix is available [1]. Users are advised to update the plugin immediately or apply the mitigation rule.