平台
wordpress
组件
all-in-one-redirection
修复版本
2.2.1
CVE-2024-37245 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the All In One Redirection plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise or data theft. The vulnerability impacts versions of All In One Redirection up to and including 2.2.0, with a fix available in version 2.2.1.
An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a specially crafted URL. This code can then be used to steal cookies, redirect users to malicious websites, or deface the website. The impact is particularly severe as XSS vulnerabilities can be used to bypass authentication and gain unauthorized access to user accounts. Successful exploitation could lead to sensitive data exposure, including user credentials and personal information stored within the WordPress environment. The blast radius extends to all users who interact with the affected plugin and visit malicious URLs.
CVE-2024-37245 was publicly disclosed on 2024-07-22. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a potential target. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is likely to emerge given the straightforward nature of Reflected XSS vulnerabilities.
Websites using the All In One Redirection plugin, particularly those with user-facing redirection functionality, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches. Sites with legacy WordPress configurations or those that haven't implemented robust security practices are particularly vulnerable.
• wordpress / composer / npm:
grep -r "vsourz_digital_redirection" /var/www/html/• wordpress / composer / npm:
wp plugin list | grep "All In One Redirection"• wordpress / composer / npm:
wp plugin update --all• generic web: Check for unusual redirects or JavaScript execution when visiting URLs containing redirection parameters.
disclosure
漏洞利用状态
EPSS
0.27% (51% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-37245 is to immediately upgrade the All In One Redirection plugin to version 2.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on any user-supplied data used in redirection URLs. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a redirection URL and confirming that it is properly sanitized.
Actualiza el plugin All In One Redirection a la última versión disponible. La vulnerabilidad XSS se encuentra en versiones iguales o anteriores a la 2.2.0. La actualización corregirá esta vulnerabilidad.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-37245 is a Reflected XSS vulnerability affecting All In One Redirection versions up to 2.2.0, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using All In One Redirection version 2.2.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade All In One Redirection to version 2.2.1 or later to resolve the vulnerability. Consider WAF rules as a temporary measure if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official All In One Redirection website and WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。