Reflected Cross-Site Scripting Vulnerability in G Web Pro Store Locator Plugin for WordPress
CVE-2024-11682

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: G Web Pro Store Locator
Vendor: CVE Published:; 21 December 2024

Summary

CVE-2024-11682 is a high-risk Reflected Cross-Site Scripting (XSS) vulnerability found in the G Web Pro Store Locator plugin for WordPress. It arises from inadequate input sanitization and output escaping in the handling of the 'q' parameter. This vulnerability allows unauthenticated attackers to inject malicious web scripts into web pages. The exploitation hinges on the attacker successfully deceiving a user into clicking a specially crafted link, potentially leading to session hijacking, user data theft, or redirection to malicious sites. All versions of the plugin up to and including 2.1 are affected, emphasizing the need for timely patching and security measures.

Affected Version(s)

G Web Pro Store Locator * <= 2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/gwebpro-store-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 21, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

Dale Mavers