CVE-2024-1780 identifies a reflected cross-site scripting (XSS) vulnerability in the BizCalendar Web plugin for WordPress, developed by setriosoft. This vulnerability affects all versions up to and including 1.1.0.19. The root cause is insufficient sanitization and output encoding of the 'tab' parameter used during web page generation. Because of this, an attacker can craft a malicious URL containing a script payload within the 'tab' parameter. When a victim clicks the link, the injected script executes in the context of the vulnerable website, potentially allowing theft of session cookies, redirection to malicious sites, or other client-side attacks. The vulnerability requires no authentication but does require user interaction (clicking a link). The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability is categorized under CWE-79, a common web application security weakness related to improper neutralization of input during web page generation.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites using the BizCalendar Web plugin. Successful exploitation can lead to theft of sensitive information such as session tokens or personal data, unauthorized actions performed on behalf of the user, or redirection to malicious websites. While availability is not directly impacted, the trustworthiness of the affected web application can be compromised, potentially damaging organizational reputation. Since the vulnerability is exploitable without authentication but requires user interaction, phishing or social engineering campaigns could be leveraged to increase attack success. Organizations running WordPress sites with this plugin expose their users to these risks, which can lead to broader security incidents including account takeover or data leakage. The scope of affected systems is limited to websites using the vulnerable plugin versions, but given WordPress's widespread use, the potential attack surface is significant.

1. Immediate mitigation should focus on updating the BizCalendar Web plugin to a patched version once available from the vendor. In the absence of an official patch, consider temporarily disabling or removing the plugin to eliminate the attack vector. 2. Implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'tab' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of XSS attacks. 4. Educate users and administrators about the risks of clicking untrusted links, especially those purporting to come from the affected website. 5. Review and harden input validation and output encoding practices in custom code or other plugins to reduce the risk of similar vulnerabilities. 6. Monitor web server logs for unusual query parameters or patterns indicative of exploitation attempts. 7. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities including XSS.