CVE-2024-56033

CVE-2024-56033 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Think201 FAQs WordPress plugin, with vulnerable versions spanning from an unspecified initial release through 1.0.2. The issue was published on 2025-01-02 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this remotely over the network without authentication or privileges, but it requires user interaction such as clicking a malicious link. A successful Reflected XSS attack injects and executes arbitrary JavaScript in the victim's browser context upon reflection of attacker-controlled input during web page generation. This scope change (S:C) allows limited impacts on confidentiality, integrity, and availability, potentially enabling session hijacking, data theft, or other client-side compromises within the affected site.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/faqs/vulnerability/wordpress-faqs-plugin-1-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability specifically in WordPress FAQs plugin version 1.0.2. Practitioners should review this reference for detailed mitigation guidance, including any available patches or workarounds from the vendor.