CVE-2024-56029
Published: 02 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dreamwinner Easy Language Switcher easy-language-switcher allows Reflected XSS.This issue affects Easy Language Switcher: from n/a through <= 1.0.
Security Summary
CVE-2024-56029 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the dreamwinner Easy Language Switcher WordPress plugin (easy-language-switcher). This issue affects all versions from n/a through 1.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this reflected XSS over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Exploitation reflects unsanitized input into the web page, allowing script execution in the victim's browser context with changed scope. This enables limited impacts on confidentiality, integrity, and availability, such as session hijacking via cookie theft or minor site defacement.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/easy-language-switcher/vulnerability/wordpress-easy-language-switcher-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability in the WordPress Easy Language Switcher plugin version 1.0.
Details
- CWE(s)