CVE-2024-4856 in FS Product Inquiry Plugin
Summary
by MITRE • 06/04/2024
The FS Product Inquiry WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2025
The FS Product Inquiry WordPress plugin version 1.1.1 contains a critical reflected cross-site scripting vulnerability that poses significant security risks to WordPress installations. This vulnerability exists due to inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating an exploitable condition that can be leveraged by malicious actors to execute arbitrary JavaScript code in the context of affected users' browsers. The flaw specifically affects how the plugin handles user-supplied parameters, failing to properly sanitize or escape data before incorporating it into HTML output responses.
The technical implementation of this vulnerability stems from the plugin's failure to apply proper security controls when processing incoming request parameters. When the plugin receives user input through HTTP request parameters, it directly incorporates this data into the HTML response without adequate sanitization measures. This creates a reflected XSS vector where malicious scripts can be injected and executed when the affected page is rendered in a victim's browser. The vulnerability affects both authenticated administrators and unauthenticated users, making it particularly dangerous as it can be exploited against any user who interacts with the compromised plugin functionality.
The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged for more sophisticated attacks targeting high-privilege users. Attackers can craft malicious URLs containing XSS payloads that, when clicked by administrators, would execute code in the admin context. This could lead to unauthorized administrative actions, data exfiltration, session hijacking, or the installation of backdoors. The reflected nature of the vulnerability means that exploitation requires user interaction with a malicious link, but the attack can be delivered through various channels including phishing emails, compromised websites, or social engineering campaigns.
Security professionals should consider this vulnerability in the context of the CWE-79 weakness category, which specifically addresses cross-site scripting flaws in software applications. The ATT&CK framework would classify this as a web application attack vector under the technique of "Cross-Site Scripting" with potential for privilege escalation and persistent access. Organizations should immediately implement mitigations including plugin updates to the latest version, input validation and output encoding measures, and network-based protections such as web application firewalls. Additionally, security monitoring should be enhanced to detect suspicious user interactions with the plugin functionality, and regular security audits should be conducted to identify similar vulnerabilities in other WordPress plugins and custom code implementations.