CVE-2024-43975 in Super Store Finder Plugin
Summary
by MITRE • 09/18/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through <= 6.9.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/02/2026
The vulnerability identified as CVE-2024-43975 represents a critical cross-site scripting flaw within the highwarden Super Store Finder WordPress plugin, specifically impacting versions through 6.9.7. This weakness falls under the well-documented CWE-79 category for improper neutralization of input during web page generation, creating a persistent security risk for WordPress installations that utilize this plugin. The vulnerability stems from inadequate sanitization of user-supplied input parameters that are subsequently reflected in dynamically generated web pages without proper encoding or validation measures.
The technical implementation of this XSS vulnerability occurs when the plugin fails to properly sanitize or escape user input before incorporating it into HTML output within web pages. Attackers can exploit this weakness by injecting malicious scripts through input fields or parameters that are processed by the superstorefinder-wp plugin, potentially leading to unauthorized actions performed on behalf of authenticated users. The flaw exists in the plugin's handling of data that is intended to be displayed in user-facing interfaces, where input validation and output encoding mechanisms are insufficient to prevent script injection attacks.
Operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal sensitive information, manipulate web page content, or redirect users to malicious websites. The affected versions through 6.9.7 represent a significant attack surface since the vulnerability allows for persistent XSS attacks that can compromise user sessions and potentially lead to full system compromise if administrators are tricked into executing malicious payloads. This type of vulnerability particularly affects e-commerce and business directory websites that rely on store finder functionality, as it can be exploited to manipulate search results or inject malicious content into legitimate business listings.
Security practitioners should consider this vulnerability in the context of the ATT&CK framework, specifically mapping it to techniques involving command and control communications through web interfaces and credential access via session manipulation. The vulnerability's exploitation potential aligns with ATT&CK technique T1566 for credential harvesting and T1584 for establishing persistence through web application vulnerabilities. Mitigation strategies must include immediate plugin updates to versions that address the XSS flaw, implementation of web application firewalls to detect and block malicious input patterns, and comprehensive input validation across all user-facing parameters. Additionally, organizations should conduct thorough security assessments of their WordPress installations to identify other potential XSS vulnerabilities in plugins and themes that may be similarly affected by improper input neutralization practices.
The broader implications of this vulnerability highlight the critical importance of input sanitization and output encoding in web application security, particularly for plugins that process user-generated content. This weakness demonstrates how seemingly minor oversights in data handling can create significant security risks, emphasizing the need for comprehensive security testing and regular vulnerability assessments. Organizations using the superstorefinder-wp plugin must prioritize patch management and implement defense-in-depth strategies to protect against similar vulnerabilities that could arise from inadequate data validation and sanitization processes. The vulnerability serves as a reminder of the essential security controls required for maintaining web application integrity and protecting user data from malicious exploitation through cross-site scripting attacks.