CVE-2024-10519 identifies a reflected Cross-Site Scripting vulnerability in the 'Wishlist for WooCommerce: Multi Wishlists Per Customer PRO' plugin for WordPress, specifically in versions 3.0.8 through 3.1.2. The vulnerability stems from improper neutralization of user-supplied input in the 'wtab' URL parameter. Because the plugin fails to adequately sanitize and escape this input before embedding it into web pages, an attacker can craft a malicious URL containing executable JavaScript code. When an unsuspecting user clicks this URL, the injected script executes within the context of the affected website, potentially compromising user sessions or performing unauthorized actions. The vulnerability is exploitable without authentication but requires user interaction (clicking a malicious link). Importantly, only WordPress sites running PHP versions 7.4 or earlier are vulnerable, as later PHP versions presumably mitigate or are incompatible with the vulnerable plugin behavior. The CVSS 3.1 score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, user interaction necessary, and a scope change indicating potential impact beyond the vulnerable component. The vulnerability affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WooCommerce and WordPress in e-commerce environments. The vulnerability was published on November 23, 2024, and is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of CVE-2024-10519 is the potential for attackers to execute arbitrary JavaScript in the context of affected websites, leading to session hijacking, theft of sensitive user data such as cookies or credentials, and unauthorized actions performed on behalf of users. For e-commerce sites using WooCommerce, this could result in fraudulent transactions, data leakage, or reputational damage. Since the vulnerability is reflected XSS, it requires social engineering to lure users into clicking malicious links, which may limit widespread automated exploitation but still poses a significant risk especially to high-traffic sites. The scope change in the CVSS vector indicates that the vulnerability could affect components beyond the plugin itself, potentially impacting the entire web application. Organizations with vulnerable WordPress installations running PHP 7.4 or earlier are at risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks. The medium severity rating reflects moderate impact and ease of exploitation without authentication, emphasizing the need for timely remediation to protect customer data and maintain trust.

To mitigate CVE-2024-10519, organizations should first upgrade the 'Wishlist for WooCommerce: Multi Wishlists Per Customer PRO' plugin to a version that addresses this vulnerability once available. If no patch is currently released, consider temporarily disabling the plugin or restricting access to affected functionality. Additionally, upgrading the underlying PHP environment to a version higher than 7.4 can reduce exposure, as the vulnerability affects only PHP 7.4 and earlier. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious payloads in the 'wtab' parameter can provide interim protection. Site administrators should also enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit and sanitize all user inputs and outputs in custom code or plugins to prevent similar issues. Educate users and staff about phishing risks to reduce the likelihood of successful social engineering attacks. Finally, monitor logs for suspicious URL access patterns involving the 'wtab' parameter to detect potential exploitation attempts.