CVE-2024-47336 in Terms Descriptions Plugin
Summary
by MITRE • 10/06/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows Stored XSS.This issue affects Terms descriptions: from n/a through <= 3.4.7.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability identified as CVE-2024-47336 represents a critical cross-site scripting flaw within the Terms descriptions plugin developed by Vladimir Statsenko. This stored cross-site scripting vulnerability occurs during the web page generation process when user input is improperly handled and subsequently rendered without adequate sanitization. The flaw exists in versions of the plugin ranging from the initial release through version 3.4.7, indicating a widespread impact across multiple iterations of the software. The vulnerability stems from the plugin's failure to properly neutralize user-supplied data before incorporating it into dynamically generated web pages, creating an avenue for malicious actors to inject persistent malicious scripts.
The technical implementation of this vulnerability allows attackers to execute malicious JavaScript code within the context of other users' browsers who visit pages containing the compromised content. When users interact with the affected plugin's functionality, particularly when viewing terms and descriptions that contain malicious input, the stored XSS payload executes automatically in their browsers. This occurs because the plugin does not adequately sanitize or escape user input during the rendering process, permitting attackers to embed script tags or other malicious code within term descriptions that persist in the database. The vulnerability is classified as a stored XSS attack under CWE-79, which specifically addresses the improper neutralization of input during web page generation, making it a direct violation of secure coding practices.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and redirection to malicious websites. Users who view compromised terms and descriptions become unwitting participants in the attack, as their browsers execute the injected scripts without their knowledge. This vulnerability particularly affects WordPress environments where the Terms descriptions plugin is installed, potentially compromising entire user bases if the plugin is widely deployed. The attack vector aligns with ATT&CK technique T1531, which involves the use of malicious scripts to gain unauthorized access to user sessions and data.
Organizations and users affected by this vulnerability should immediately update to the latest version of the Terms descriptions plugin where the XSS flaw has been addressed. The remediation process involves implementing proper input sanitization and output escaping mechanisms that prevent malicious code from being executed within the browser context. Security measures should include validating all user input through strict sanitization routines and employing content security policies to mitigate the impact of any potential exploitation attempts. Additionally, administrators should consider implementing web application firewalls and monitoring for suspicious input patterns that might indicate attempts to exploit this vulnerability. The fix should ensure that all user-generated content is properly escaped before being rendered in HTML contexts, following established security guidelines for preventing cross-site scripting attacks.