CVE-2024-50441

Vulnerability

Overview

CVE-2024-50441 is a Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Cozy Blocks (cozy-addons), developed by CozyThemes. The issue stems from improper neutralization of user-supplied input during web page generation. Affected versions range from n/a through 2.0.15. This flaw allows stored XSS, meaning the injected script is permanently stored on the server and executed when other users access the affected page.

Attack

Vector and Requirements

Exploitation requires a privileged user role, such as a contributor or higher, to inject the malicious payload [1]. While user interaction is necessary for execution (e.g., an administrator visiting the compromised page), the attacker does not need to trick a victim into clicking a link; the script runs automatically upon page load. The attack surface is limited to authenticated users with some publishing capabilities, but the stored nature of the XSS can have a broad reach across the site's visitors.

Impact

A successful attack allows an attacker to inject arbitrary HTML and JavaScript into the site. This could be used for redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or performing other actions as the context of the logged-in user [1]. The CVSS v3 base score of 6.5 (Medium) reflects this moderate impact due to the requirement for authenticated access and user interaction.

Mitigation

Users are strongly advised to update the Cozy Blocks plugin to version 2.0.16 or later, which contains a fix for this vulnerability [1]. Patchstack users can enable automatic updates for vulnerable plugins. Given that vulnerabilities of this type are used in mass-exploit campaigns, prompt updating is recommended even though the severity is rated medium.