CVE-2024-52459

Vulnerability

Overview The Chameleoni Jobs WordPress plugin up to version 2.5.4 suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. An attacker can inject arbitrary JavaScript code through a crafted request, which is then reflected back to the user's browser without proper sanitization.

Exploitation

This is a reflected XSS attack, meaning the victim must interact with a malicious link (e.g., via phishing). No authentication is required, and the attack can be performed over HTTP or HTTPS. The vulnerable parameter likely exists in any page of the plugin that echoes user-supplied data, such as the job search or candidate registration forms.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's WordPress session. This could lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information (e.g., cookies or credentials). The CVSS v3 score is 7.1, reflecting a high severity with medium attack complexity.

Mitigation

The vendor has released version 2.5.6, which includes a bug fix for this issue [1]. All users are strongly advised to update to the latest version immediately. The plugin is available in the WordPress plugin repository, and updates can be performed automatically or manually via the admin dashboard.