CVE-2024-7136

Vulnerability

Overview

The JetSearch plugin for WordPress, developed by Crocoblock, is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.5.2. The flaw resides in insufficient input sanitization and output escaping of the 'id' parameter, allowing authenticated attackers to inject arbitrary web scripts that execute when a user accesses a compromised page [1].

Exploitation

Prerequisites

An attacker must have at least Contributor-level access to the WordPress site. The vulnerability is triggered by supplying a malicious payload in the 'id' parameter, which is then stored and rendered unsafely. No additional authentication or network position is required beyond the initial contributor account.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, defacement, or redirection to malicious sites, compromising the integrity and confidentiality of the WordPress installation.

Mitigation

Crocoblock has not yet released a patched version as of the publication date. Users are advised to restrict Contributor-level access or apply input validation and output escaping manually until an update is available.