CVE-2024-56038
Published: 02 January 2025
Summary
CVE-2024-56038 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-56038 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS), in the SendSMS WordPress plugin developed by catalinsendsms. The issue affects SendSMS versions from n/a through 1.2.9 and is associated with CWE-79.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link. Exploitation changes the scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 score of 7.1. This enables execution of arbitrary scripts in the victim's browser context, potentially leading to session hijacking or data theft.
The Patchstack advisory provides details on this WordPress SendSMS plugin vulnerability, including assessment and recommended actions for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52936
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catalinsendsms SendSMS sendsms allows Reflected XSS.This issue affects SendSMS: from n/a through <= 1.2.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables arbitrary JavaScript execution in the victim's browser, facilitating session hijacking as explicitly noted in the CVE description.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires filtering and neutralization of output to web pages, preventing reflected XSS by blocking execution of injected scripts in the victim's browser.
Enforces validation of inputs to detect and reject malformed or malicious data that could be reflected as XSS payloads in the SendSMS plugin.
Requires timely flaw remediation, including patching the specific improper neutralization vulnerability in SendSMS versions through 1.2.9.