CVE-2024-37261
published 2024-07-22CVE-2024-37261: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon…
PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.63%
45.6th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon wp-lister-for-amazon.This issue affects WP-Lister Lite for Amazon: from n/a through <= 2.6.16.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp_lab | wp-lister_lite_for_amazon | <= 2.6.16 | — |
| wplab | wp-lister_lite_for_amazon | < 2.6.17 | 2.6.17 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin.php?page=wpla-tools&tab=stock_log&date_from={{rand}}%22+autofocus+onfocus%3D%22alert%28document.domain%29%22+x%3D%22↗
- →Reflected XSS payload injected via the `date_from` GET parameter on the wpla-tools admin page (tab=stock_log). Look for the unescaped value reflected inside a `name="date_from"` input field in the response body. ↗
- →The attack requires the victim to be authenticated (admin-level) and be tricked into clicking a crafted link targeting /wp-admin/admin.php?page=wpla-tools&tab=stock_log with a malicious date_from parameter. ↗
- →Detection signature: HTTP response body contains both `value="<payload>\" autofocus onfocus=\"alert(document.domain)\"` and `name="date_from"` together, confirming unsanitized reflection of the date_from input. ↗
- ·Vulnerability affects WP-Lister Lite for Amazon plugin versions up to and including 2.6.16 only. Patched versions are not affected. ↗
- ·The Nuclei template requires valid WordPress credentials (username/password) to authenticate before triggering the XSS endpoint, meaning exploitation requires a logged-in session despite the plugin being described as exploitable by unauthenticated attackers via social engineering. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fff-pwm7-53j5: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows R
ghsa_unreviewed·2024-07-22
CVE-2024-37261 [HIGH] CWE-79 GHSA-8fff-pwm7-53j5: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows R
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Reflected XSS.This issue affects WP-Lister Lite for Amazon: from n/a through 2.6.16.
VulnCheck
WP Lab wp-lister_lite_for_amazon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2024·CVSS 6.1
CVE-2024-37261 [MEDIUM] WP Lab wp-lister_lite_for_amazon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WP Lab wp-lister_lite_for_amazon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon wp-lister-for-amazon.This issue affects WP-Lister Lite for Amazon: from n/a through <= 2.6.16.
Affected: WP Lab wp-lister_lite_for_amazon
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/wp-lister-for-amazon/vulnerability/wordpress-wp-lister-lite-for-amazon-plugin-2-6-16-reflected-cross-site-scripting-xss-vulnerability
No detection rules found.
Nuclei
WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2024-37261 [MEDIUM] WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting
WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting
The WP-Lister Lite for Amazon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.6.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Template:
id: CVE-2024-37261
info:
name: WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting
author: Kazgangap
severity: medium
description: |
The WP-Lister Lite for Amazon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.6.16 due to insufficient input sanitization and outpu
No writeups or analysis indexed.
https://patchstack.com/database/Wordpress/Plugin/wp-lister-for-amazon/vulnerability/wordpress-wp-lister-lite-for-amazon-plugin-2-6-16-reflected-cross-site-scripting-xss-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/wp-lister-for-amazon/wordpress-wp-lister-lite-for-amazon-plugin-2-6-16-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
2024-07-22
Published
Exploited in the wild