CVE-2024-56299

CVE-2024-56299 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-Site Scripting (XSS) under CWE-79, in the Pektsekye Notify Odoo (notify-odoo) WordPress plugin. This issue affects Notify Odoo versions from an unspecified starting point through 1.0.0. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by leveraging a CSRF-to-Stored XSS vector, as detailed in the Patchstack advisory. Exploitation requires tricking a user into interacting with a malicious payload, such as submitting crafted input via a cross-site request forgery that stores executable scripts on the target site. Successful exploitation allows attackers to inject and persist malicious scripts, potentially leading to session hijacking, data theft, or further site compromise for subsequent visitors, though impacts remain limited per the CVSS metrics.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/notify-odoo/vulnerability/wordpress-notify-odoo-plugin-1-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability specifically in Notify Odoo WordPress plugin version 1.0.0. Security practitioners should review the advisory for detailed patch information, update to a fixed version if available, and implement input sanitization or content security policies as interim mitigations.