CVE-2021-34655 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the WP Songbook WordPress plugin, specifically affecting versions up to and including 2.0.11. The vulnerability arises from improper sanitization of the 'url' parameter in the ~/inc/class.ajax.php file. An attacker can craft a malicious URL containing arbitrary JavaScript code injected into this parameter. When a victim clicks on this crafted link, the injected script executes in the context of the victim's browser session with the affected WordPress site. This reflected XSS attack does not require prior authentication but does require user interaction (clicking the malicious link). The vulnerability impacts confidentiality and integrity by potentially allowing attackers to steal session cookies, perform actions on behalf of the user, or manipulate displayed content. The CVSS 3.1 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability. No known exploits in the wild have been reported, and no official patches or updates are linked in the provided information. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS. The reflected nature of the XSS means the malicious payload is not stored on the server but delivered via crafted URLs, making phishing or social engineering a likely attack vector.

For European organizations using WordPress sites with the WP Songbook plugin version 2.0.11 or earlier, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed under the victim's identity. This can lead to compromised user accounts, defacement, or unauthorized data access. Organizations in sectors with high web presence such as media, entertainment, education, and cultural institutions that use WP Songbook to manage song libraries or music content are particularly at risk. The impact is exacerbated if the affected sites have privileged users or administrators who might be targeted. Although the vulnerability does not affect availability, the loss of confidentiality and integrity can undermine trust, cause reputational damage, and potentially lead to regulatory scrutiny under GDPR if personal data is compromised. The requirement for user interaction means phishing campaigns could be used to exploit this vulnerability, increasing the risk to end users and customers of affected organizations.

European organizations should immediately audit their WordPress installations to identify the presence and version of the WP Songbook plugin. If version 2.0.11 or earlier is detected, they should upgrade to the latest version where the vulnerability is patched. In the absence of an official patch, organizations should implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'url' parameter in the affected AJAX endpoint. Input validation and output encoding should be enforced at the application level to neutralize script injection attempts. Security teams should educate users about the risks of clicking suspicious links and implement multi-factor authentication to reduce the impact of stolen credentials. Regular security scanning and penetration testing focused on XSS vulnerabilities should be conducted. Additionally, monitoring web server logs for unusual query parameters and user activity can help detect exploitation attempts early.