CVE-2024-50462

Vulnerability

Analysis

The interactive-world-map WordPress plugin versions from n/a through 3.4.4 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This enables malicious actors with contributor-level or higher privileges to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors.

Exploitation

An attacker must have a WordPress user account with at least the Contributor role to inject the malicious payload. The injected script is triggered when any user (including administrators and site visitors) loads a page displaying the interactive map. According to the advisory, successful exploitation requires a privileged user to perform an action, such as clicking a malicious link or submitting a form [1].

Impact

A successful exploit allows the attacker to perform actions in the context of the victim's session, such as redirecting visitors to malicious sites, displaying unauthorized advertisements, defacing the website, or stealing sensitive session data. This type of vulnerability is frequently leveraged in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Mitigation

The vendor has released version 3.4.8 which resolves the vulnerability. Users are strongly advised to update immediately. If updating is not possible, enabling auto-updates for the affected plugin via Patchstack is recommended [1]. No workarounds have been provided.