CVE-2024-10048 in Post Status Notifier Lite Plugininfo

Summary

by MITRE • 10/29/2024

The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/13/2026

The Post Status Notifier Lite and Premium WordPress plugins contain a critical reflected cross-site scripting vulnerability that affects all versions up to and including 1.11.6. This vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase, specifically targeting the 'page' parameter. The flaw allows malicious actors to inject arbitrary web scripts that execute in the context of a victim's browser when they interact with specially crafted links. This represents a significant security risk as it can be exploited by unauthenticated attackers to compromise user sessions and execute malicious code on affected websites.

The technical nature of this vulnerability places it firmly within the scope of CWE-79, which defines cross-site scripting as a weakness where untrusted data is sent to a web browser without proper validation or escaping. The reflected nature of the vulnerability means that the malicious script is reflected off the web server rather than being stored, making it particularly dangerous as it requires only a single interaction from the victim to be effective. Attackers can craft malicious URLs containing script payloads that appear legitimate to users, leveraging social engineering tactics to trick victims into clicking on these links. The vulnerability affects both the lite and premium versions of the plugin, indicating a fundamental flaw in the code implementation that has persisted across different feature sets.

From an operational perspective, this vulnerability creates substantial risk for WordPress site administrators and their users. The reflected XSS attack vector allows threat actors to potentially steal session cookies, perform actions on behalf of authenticated users, or redirect victims to malicious websites. The impact extends beyond simple script execution as it can be leveraged for more sophisticated attacks including credential theft, session hijacking, and data exfiltration. Given that WordPress remains one of the most widely used content management systems, plugins with such vulnerabilities pose a significant threat to the broader web ecosystem. The fact that this vulnerability affects both free and premium versions suggests that the core security flaws were present in the foundational code rather than being introduced in feature-specific implementations.

Security practitioners should immediately implement mitigations including updating to the latest plugin versions where available, implementing proper input validation and output escaping mechanisms, and deploying web application firewalls to filter malicious requests. The vulnerability aligns with ATT&CK technique T1566 which covers spearphishing attacks that often leverage XSS vulnerabilities to deliver malicious payloads. Organizations should also consider implementing content security policies and monitoring for suspicious parameter usage in their web applications. Regular security audits of third-party plugins and maintaining up-to-date security practices remain critical defensive measures against such vulnerabilities. The presence of this flaw in widely-used plugins underscores the importance of proper security testing during development cycles and the need for continuous monitoring of plugin security updates.

Reservation

10/16/2024

Disclosure

10/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00291

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!