cbcvebase.
CVE-2024-37261
published 2024-07-22

CVE-2024-37261: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon…

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.63%
45.6th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon wp-lister-for-amazon.This issue affects WP-Lister Lite for Amazon: from n/a through <= 2.6.16.

Affected

2 ranges
VendorProductVersion rangeFixed in
wp_labwp-lister_lite_for_amazon<= 2.6.16
wplabwp-lister_lite_for_amazon< 2.6.172.6.17

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=wpla-tools&tab=stock_log&date_from={{rand}}%22+autofocus+onfocus%3D%22alert%28document.domain%29%22+x%3D%22
path/wp-admin/admin.php?page=wpla-tools&tab=stock_log
  • Reflected XSS payload injected via the `date_from` GET parameter on the wpla-tools admin page (tab=stock_log). Look for the unescaped value reflected inside a `name="date_from"` input field in the response body.
  • The attack requires the victim to be authenticated (admin-level) and be tricked into clicking a crafted link targeting /wp-admin/admin.php?page=wpla-tools&tab=stock_log with a malicious date_from parameter.
  • Detection signature: HTTP response body contains both `value="<payload>\" autofocus onfocus=\"alert(document.domain)\"` and `name="date_from"` together, confirming unsanitized reflection of the date_from input.
  • ·Vulnerability affects WP-Lister Lite for Amazon plugin versions up to and including 2.6.16 only. Patched versions are not affected.
  • ·The Nuclei template requires valid WordPress credentials (username/password) to authenticate before triggering the XSS endpoint, meaning exploitation requires a logged-in session despite the plugin being described as exploitable by unauthenticated attackers via social engineering.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.