CVE-2024-53278

Vulnerability

Overview

CVE-2024-53278 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin WP Admin UI Customize, affecting versions prior to 1.5.14. The plugin allows administrators to customize the admin interface, but certain input fields lack proper sanitization, enabling the injection of arbitrary JavaScript code [1][2].

Exploitation

An attacker with admin-level privileges can inject malicious content into customizable fields of the admin screen. When other admin users access the affected admin pages, the injected script executes in their browsers. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) indicates that while the attack requires high privileges and user interaction, it can be launched over the network [1].

Impact

Successful exploitation allows arbitrary script execution in the context of other admin users' sessions. This could lead to session hijacking, defacement, or theft of sensitive data. The CVSS score of 4.8 (Medium) reflects the limited confidentiality and integrity impact due to the prerequisite of admin privileges [1].

Mitigation

The vulnerability is fixed in version 1.5.14, released by the developer after coordination with JPCERT/CC [1][2]. Users are strongly advised to update the plugin immediately. No workarounds are available; updating is the only solution.