WordPress Organici Library plugin <= 2.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
traduzindo…Plataforma
wordpress
Componente
noo-organici-library
Corrigido em
2.1.3
CVE-2026-24975 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the NooTheme Organici Library. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking. The vulnerability impacts versions 0.0.0 through 2.1.2 of the Organici Library and has been resolved in version 2.1.3.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
An attacker could exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the website. The impact is particularly severe if the website handles sensitive user data, as an attacker could potentially gain access to credentials or other confidential information. The blast radius extends to any user visiting a page containing the vulnerable Organici Library component, making it a widespread concern for WordPress sites utilizing this plugin.
Contexto de Exploraçãotraduzindo…
CVE-2026-24975 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation for Reflected XSS vulnerabilities suggests a moderate probability of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability. Refer to the NVD entry for further details.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the NooTheme Organici Library are at risk. Specifically, sites with user-facing input fields that are not properly sanitized are particularly vulnerable. Shared hosting environments where plugin updates are managed centrally may also be at increased risk if updates are not applied promptly.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r 'noo-organici-library' plugins/
wp plugin list | grep organici• generic web:
curl -I 'https://example.com/?param=<script>alert(1)</script>' | grep Content-Security-PolicyLinha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Baixo — acesso parcial ou indireto a alguns dados.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Baixo — negação de serviço parcial ou intermitente.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-24975 is to immediately upgrade the NooTheme Organici Library to version 2.1.3 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress site for vulnerable plugins using security scanning tools.
Como corrigirtraduzindo…
Update to version 2.1.3, or a newer patched version
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2026-24975 — Reflected XSS in NooTheme Organici Library?
CVE-2026-24975 is a Reflected XSS vulnerability affecting the NooTheme Organici Library, allowing attackers to inject malicious scripts via crafted URLs.
Am I affected by CVE-2026-24975 in NooTheme Organici Library?
You are affected if your WordPress site uses NooTheme Organici Library versions 0.0.0 through 2.1.2. Check your plugin versions and update immediately.
How do I fix CVE-2026-24975 in NooTheme Organici Library?
Upgrade the NooTheme Organici Library to version 2.1.3 or later. Implement input validation and output encoding as a temporary workaround.
Is CVE-2026-24975 being actively exploited?
While no active exploitation has been confirmed, the ease of exploitation suggests a potential risk. Monitor security advisories for updates.
Where can I find the official NooTheme advisory for CVE-2026-24975?
Refer to the NooTheme website and WordPress plugin repository for the latest advisory and update information.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.