CVE-2024-55864

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in the WordPress plugin "My WP Customize Admin/Frontend" in versions prior to 1.24.1 [1]. The root cause is a failure to properly escape and sanitize certain values when customizing administrative pages, as confirmed by the developer's changelog which notes: "Fixed: Escape and sanitize the some values" as part of the security update [2]. This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [1].

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker must first have an administrative account on the WordPress site. The attacker can then customize the admin interface by injecting malicious script content into fields that the plugin does not sanitize. The stored XSS payload is then served to other administrative users when they access the affected admin page. User interaction (e.g., viewing the page) is required for the script to execute in the victim's browser [1].

Impact

If successfully exploited, an arbitrary script can be executed in the web browser of any other user who visits the crafted admin page. This could lead to actions such as session hijacking, defacement, or theft of sensitive information, though the CVSS (4.8, Medium) reflects the requirement of high privileges and user interaction [1].

Mitigation

The developer has released version 1.24.1, which escapes and sanitizes the affected values, thereby fixing the vulnerability [2]. Users are strongly advised to update to version 1.24.1 or later [1]. No workarounds have been announced.