CVE-2024-0509
Published: 05 February 2024
Summary
CVE-2024-0509 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Hwk Wp 404 Auto Redirect To Similar Post. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The CVE-2024-0509 vulnerability is a reflected cross-site scripting flaw affecting the WP 404 Auto Redirect to Similar Post plugin for WordPress in all versions through 1.0.3. It arises from insufficient input sanitization and output escaping on the request parameter, which is tracked under CWE-79 and carries a CVSS 3.1 score of 6.1.
Unauthenticated attackers can exploit the issue by supplying a crafted request value in a URL and then tricking an authenticated user into clicking the link, causing arbitrary scripts to execute in the victim's browser session with limited confidentiality and integrity impact.
The referenced Wordfence advisory and WordPress plugin trac changesets show that the flaw was resolved by updating includes/ajax.php to improve sanitization and escaping; site administrators should apply the patched version of the plugin. The associated EPSS values have remained stable near 0.34 with no material post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16304
Vulnerability details
The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘request’ parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it…
more
possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.