CVE-2024-29802 in Football Pool Plugin
Summary
by MITRE • 03/27/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Antoine Hurkmans Football Pool allows Stored XSS.This issue affects Football Pool: from n/a through 2.11.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The vulnerability CVE-2024-29802 represents a critical cross-site scripting flaw in the Antoine Hurkmans Football Pool plugin, specifically classified as a stored XSS vulnerability under CWE-79. This weakness occurs when the application fails to properly sanitize user input during web page generation, allowing malicious scripts to be permanently stored and executed in the context of other users' browsers. The vulnerability impacts versions from the initial release through 2.11.3, indicating a prolonged exposure window where users have been susceptible to this attack vector. The issue stems from inadequate input validation and output encoding mechanisms within the plugin's web page generation process, creating an environment where attacker-controlled data can be injected into dynamically generated HTML content without proper sanitization.
The technical exploitation of this vulnerability follows the ATT&CK framework's T1165 pattern for client-side attacks, where malicious code is executed in the victim's browser context. When users interact with the Football Pool plugin, particularly when viewing pages that display user-generated content or form submissions, the stored malicious script executes automatically in their browser. This occurs because the application does not properly neutralize or escape special characters in input fields before rendering them in HTML contexts, allowing attackers to inject javascript payloads that persist in the database. The stored nature of this XSS means that once the malicious input is submitted and processed by the server, it remains embedded in the application's data store and executes every time affected pages are accessed by other users.
The operational impact of CVE-2024-29802 extends beyond simple script execution, potentially enabling attackers to hijack user sessions, steal sensitive information, modify data, or redirect users to malicious websites. The vulnerability creates a persistent threat vector that can compromise multiple users over time, as the stored payload continues to affect anyone who views the affected content. Attackers could leverage this weakness to escalate privileges, access administrative functions, or exfiltrate user data through techniques such as cookie theft or form data harvesting. The attack surface includes any functionality within the Football Pool plugin that accepts user input and displays it on web pages, potentially affecting user accounts, team information, match results, or betting data. Organizations using this plugin face significant risk of data breaches and unauthorized access, particularly in environments where user-generated content is prevalent.
Mitigation strategies for CVE-2024-29802 should prioritize immediate patching of the Football Pool plugin to version 2.11.4 or later, which addresses the stored XSS vulnerability through proper input sanitization and output encoding mechanisms. Security measures should include implementing comprehensive input validation that rejects or escapes potentially dangerous characters, applying context-specific output encoding for all dynamic content, and implementing a Content Security Policy to limit script execution. Organizations should also conduct thorough security reviews of all user input handling processes within the application, ensuring that all dynamic content rendering follows secure coding practices. Additionally, regular security testing including automated scanning and manual penetration testing should be implemented to identify similar vulnerabilities in other components. The remediation process should involve sanitizing existing stored data that may contain malicious payloads and monitoring application logs for signs of exploitation attempts, as outlined in the OWASP Top Ten security practices for preventing XSS vulnerabilities.