CVE-2024-56069

CVE-2024-56069 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP SuperBackup plugin (indeed-wp-superbackup) by azzaroco for WordPress. This issue affects all versions of the plugin from its initial release through 2.3.3. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Attackers can exploit this reflected XSS remotely without authentication by tricking users, such as site administrators, into interacting with a maliciously crafted URL or input that gets reflected back without neutralization during web page generation. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially enabling session hijacking, data theft, or further site compromise depending on the victim's privileges.

The Patchstack advisory provides details on this vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.