CVE-2024-49633

CVE-2024-49633 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Designinvento DirectoryPress WordPress plugin. This issue affects DirectoryPress versions from n/a through 3.6.19, allowing attackers to inject malicious scripts into dynamically generated web pages.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as visiting a malicious link. Unauthenticated attackers can exploit it by crafting payloads that reflect off the server into a victim's browser, achieving arbitrary JavaScript execution in the site's context with changed scope and low impacts to confidentiality, integrity, and availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/directorypress/vulnerability/wordpress-directorypress-plugin-3-6-19-cross-site-scripting-xss-vulnerability?_s_id=cve documents the vulnerability in the WordPress DirectoryPress plugin version 3.6.19. Security practitioners should consult this reference for mitigation guidance.