CVE-2024-50445

Vulnerability

Overview

The Selection Lite WordPress plugin (versions up to and including 1.13) suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This allows authenticated users with contributor-level access or above to inject arbitrary web scripts or HTML into pages, which are then executed when other users visit the affected pages [1].

Exploitation

Conditions

Exploitation requires an authenticated user with at least contributor privileges to save malicious input. The injected payload is stored on the server and executed in the browser of any visitor accessing the compromised page. No direct user interaction is required from the victim; simply viewing the page triggers the script [1].

Impact

Successful exploitation can lead to a range of malicious activities including redirecting visitors to phishing sites, injecting advertisements, or stealing session cookies. While the CVSS score of 6.5 indicates medium severity, the ease of exploitation and potential for mass campaigns make it a concern for site administrators [1].

Mitigation

The vulnerability is patched in version 1.14. Users are strongly advised to update the plugin immediately. If updating is not possible, consider disabling the plugin or applying virtual patching via a web application firewall. Automated updates can be enabled for Patchstack users [1].