CVE-2024-56060

CVE-2024-56060 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the HTML Forms WordPress plugin developed by Link Software LLC. The flaw affects all versions of the html-forms plugin up to and including 1.4.1. It carries a CVSS v3.1 base score of 7.1, reflecting network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, and low impacts on confidentiality, integrity, and availability.

Remote attackers without privileges can exploit this vulnerability by crafting malicious payloads delivered through reflected inputs on sites running the vulnerable plugin. Exploitation requires tricking a user, such as a site visitor or administrator, into interacting with a malicious link or form submission that triggers the XSS payload in the browser context. With changed scope, successful exploitation allows limited theft or modification of data within the site's security context, such as session tokens or page content, alongside minor denial-of-service potential.

The Patchstack advisory at the provided reference URL documents this Reflected XSS issue specifically in WordPress HTML Forms plugin version 1.4.1, serving as a key resource for mitigation details in the plugin's vulnerability database.