CVE-2024-3231
Published: 17 May 2024
Summary
CVE-2024-3231 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ivanweb Popup4Phone. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Popup4Phone WordPress plugin through version 1.3.2 is affected by an improper input sanitization and escaping flaw tracked as CVE-2024-3231. The issue, classified under CWE-79, permits Cross-Site Scripting and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, and no required authentication or privileges.
Unauthenticated attackers can supply crafted parameters that execute script in the context of an administrator who views the affected page, enabling actions such as session token theft or administrative interface manipulation within the WordPress site.
The referenced WPScan advisory at the supplied URL documents the vulnerability but does not detail specific patches or configuration changes beyond the general recommendation to update the plugin once a fixed release is available.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0823 before receding to the current value of 0.0479, indicating a measurable post-disclosure increase in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31823
Vulnerability details
The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.