CVE-2024-56018

CVE-2024-56018 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the BU Section Editing WordPress plugin developed by BU Web Team (bu-section-editing), with all versions from n/a through 0.9.9 vulnerable. Published on 2025-01-02, the issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking a victim user into interacting with a malicious payload (UI:R), such as clicking a crafted link or submitting tainted input. Successful exploitation reflects and executes arbitrary JavaScript in the victim's browser context within the site's origin, with changed scope (S:C) allowing potential theft of session data, cookies, or other sensitive information, alongside low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L).

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bu-section-editing/vulnerability/wordpress-bu-section-editing-plugin-0-9-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS in the BU Section Editing plugin up to version 0.9.9, recommending mitigation through updating to a non-vulnerable version.