CVE-2024-0386
Published: 12 March 2024
Summary
CVE-2024-0386 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Weformspro Weforms. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The weForms plugin for WordPress is vulnerable to stored cross-site scripting in all versions through 1.6.21. The flaw stems from insufficient sanitization and escaping of the HTTP Referer header, which is processed and stored without adequate validation before being rendered in administrative or other pages.
Unauthenticated remote attackers can supply a crafted Referer header to inject persistent JavaScript payloads. Because the attack requires no authentication or user interaction and affects the application scope, successful exploitation allows arbitrary script execution in victims' browsers, enabling theft of session tokens, administrative actions, or other client-side impacts rated at CVSS 7.2.
Public references point to a WordPress plugin changeset that addresses the issue, indicating that updating beyond version 1.6.21 removes the vulnerable code paths. Wordfence threat intelligence entries reiterate the same remediation guidance and confirm the affected versions.
EPSS for the CVE rose from an initial low value to a peak of 0.1576, indicating measurable post-disclosure interest in exploitation. No confirmed in-the-wild campaigns are documented in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16182
Vulnerability details
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…
more
inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.