CVE-2024-51920

Vulnerability

Overview CVE-2024-51920 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Map Store Locator (map-store-location) versions up to and including 1.2.1. The plugin fails to properly neutralize input during web page generation, enabling script injection through the Document Object Model (DOM).

Exploitation

Conditions Exploitation requires user interaction—a privileged user must perform an action such as clicking a crafted link, visiting a specially constructed page, or submitting a form. The vulnerability can be initiated by users with certain roles, but successful execution depends on the target's interaction with the malicious payload [1].

Impact

An attacker can inject arbitrary JavaScript, leading to redirects, unwanted advertisements, or other HTML payloads that execute when visitors access the affected website. This can be used for mass-exploit campaigns targeting thousands of sites regardless of their size or popularity [1].

Mitigation

The plugin should be updated to a patched version if available. If an update is not possible, the site administrator should contact their hosting provider or web developer for assistance. The vulnerability is listed with a CVSS score of 6.5 (Medium), indicating moderate severity with a requirement for user interaction [1].