cbcvebase.
CVE-2024-3469
published 2024-06-05

CVE-2024-3469: The GP Premium plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the message parameter in all versions up to, and including, 2.4.0 due…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.64%
45.9th percentile
The GP Premium plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the message parameter in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affected

2 ranges
VendorProductVersion rangeFixed in
generatepressgeneratepress< 2.4.12.4.1
generatepressgp_premium<= 2.4.0

Detection & IOCsextracted from sources · hover to see the quote

othermessage parameter (reflected XSS via GP Premium plugin)
othersetting-error-license_failed
  • Monitor for reflected XSS payloads in the 'message' GET/POST parameter on WordPress pages running GP Premium plugin versions <= 2.4.0
  • Look for the 'setting-error-license_failed' value in the message parameter as part of the XSS exploit chain, combined with injected JavaScript (e.g., alert(document.domain))
  • ·The vulnerability is exploitable by unauthenticated attackers only if a user can be tricked into clicking a crafted link; it is not directly exploitable without user interaction
  • ·All GP Premium plugin versions up to and including 2.4.0 are affected; ensure detection rules scope to this version range

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.