CVE-2024-35768 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the LiveComposer Page Builder plugin for WordPress, specifically affecting versions up to and including 2.1.11. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious actors to inject and execute arbitrary JavaScript code within the context of the affected website. This type of XSS is DOM-based, meaning the malicious payload is executed as a result of client-side script processing of unsafe input, rather than server-side injection. An attacker can exploit this by crafting malicious URLs or input vectors that, when processed by the vulnerable plugin, execute scripts in the victim’s browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability does not require authentication, increasing its risk profile, and does not currently have a CVSS score or known exploits in the wild. However, given the widespread use of WordPress and the popularity of LiveComposer as a page builder, the potential attack surface is significant. The vulnerability was reserved in May 2024 and published in June 2024, with no patch links currently available, indicating that users must be vigilant and apply mitigations proactively.

The impact of CVE-2024-35768 can be substantial for organizations using the LiveComposer Page Builder plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, potentially leading to theft of sensitive information such as authentication cookies, personal data, or session tokens. This can facilitate account takeover, unauthorized actions on behalf of users, or further malware distribution. Additionally, attackers may deface websites or redirect visitors to malicious domains, damaging brand reputation and user trust. Since the vulnerability is client-side and does not require authentication, it can be exploited by any attacker who can lure users to a crafted URL or page. Organizations with high traffic websites or those handling sensitive user data are at increased risk. The absence of an official patch at the time of disclosure further elevates the risk, as attackers may develop exploits targeting unpatched systems. The widespread adoption of WordPress and LiveComposer in various sectors globally means that the threat could affect a broad range of industries, including e-commerce, media, education, and government portals.

To mitigate the risk posed by CVE-2024-35768, organizations should take several specific actions beyond generic advice: 1) Immediately monitor official LiveComposer channels for patches or updates and apply them as soon as they become available. 2) Implement strict input validation and sanitization on all user-supplied data processed by the plugin, especially data that influences DOM manipulation. 3) Deploy a robust Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable code to trusted domains. 4) Use security plugins or web application firewalls (WAFs) capable of detecting and blocking XSS payloads targeting WordPress plugins. 5) Educate users and administrators about the risks of clicking on suspicious links and encourage the use of browser security features that can mitigate XSS attacks. 6) Conduct regular security audits and penetration testing focused on client-side vulnerabilities in web applications using LiveComposer. 7) Consider temporarily disabling or replacing the LiveComposer plugin with alternative page builders if immediate patching is not possible. These measures collectively reduce the attack surface and help protect both website operators and end users.