CVE-2024-56289

CVE-2024-56289 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Groundhogg WordPress plugin developed by Adrian Tobey. The issue impacts all versions of Groundhogg from n/a through 3.7.3.3. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely without authentication by tricking a user into interacting with a maliciously crafted link or input that reflects unsanitized data back into the web page. Upon execution in the victim's browser, the XSS payload can lead to low-level impacts such as limited data exfiltration, minor tampering, or denial of service within the context of the affected site, potentially affecting other users due to the changed scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/groundhogg/vulnerability/wordpress-groundhogg-plugin-3-7-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the vulnerability, including recommendations for mitigation such as updating to a patched version of the Groundhogg plugin beyond 3.7.3.3. Security practitioners should review the advisory for specific patch instructions and workarounds.