CVE-2024-51916

CVE-2024-51916 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the Multifox Plus WordPress plugin, affecting versions up to and including 1.1.6. The flaw stems from improper neutralization of user-controllable input during web page generation, enabling an attacker to inject arbitrary JavaScript or HTML payloads into the page DOM [1].

Exploitation requires a privileged user to perform an action, such as clicking a malicious link, visiting a crafted page, or submitting a specially prepared form. The attack does not require direct authentication to the victim's browser session but depends on user interaction to trigger the injected script [1].

Successful exploitation allows an attacker to execute arbitrary scripts in the context of a victim's browser when they visit the affected site. This can be leveraged to steal session cookies, redirect users to malicious sites, inject unwanted advertisements, or deliver other HTML payloads, potentially compromising the integrity of the website and its visitors [1].

Mitigation is available by updating the Multifox Plus plugin to a version newer than 1.1.6. If immediate update is not possible, users should consult their hosting provider or a web developer for assistance. The vulnerability is listed on Patchstack and has a CVSS v3 base score of 6.5 (Medium), reflecting the need for user interaction and the potential impact on confidentiality and integrity [1].