CVE-2024-8871 is a reflected Cross-Site Scripting vulnerability identified in the Pricing Tables WordPress Plugin – Easy Pricing Tables developed by fatcatapps. The vulnerability exists due to the plugin's use of the WordPress function add_query_arg without proper escaping or sanitization of user-supplied input in URL parameters. This improper neutralization of input (CWE-79) allows attackers to craft malicious URLs containing arbitrary JavaScript code. When a victim clicks such a link, the injected script executes in their browser context, potentially leading to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability affects all versions up to and including 3.2.5. It is exploitable remotely over the network without authentication but requires user interaction (clicking a malicious link). The vulnerability has a CVSS v3.1 base score of 6.1, reflecting medium severity with low attack complexity and no privileges required. The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component, such as user sessions and data confidentiality. No patches or official fixes have been linked yet, and no known exploits are reported in the wild as of the publication date. The vulnerability highlights the importance of proper escaping and sanitization when manipulating URLs in WordPress plugins.

The primary impact of this vulnerability is on the confidentiality and integrity of user data on affected WordPress sites. Successful exploitation can lead to session hijacking, allowing attackers to impersonate users, including administrators, potentially leading to unauthorized access and control over the website. Attackers may also perform phishing attacks by injecting malicious scripts that alter page content or redirect users to malicious sites. While availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences for organizations. Since the vulnerability is exploitable without authentication but requires user interaction, the risk increases in environments with high user traffic and where users may be susceptible to social engineering. Organizations relying on the Easy Pricing Tables plugin for their WordPress sites, especially those handling sensitive customer data or financial transactions, face elevated risks. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, as proof-of-concept exploits may emerge.

Organizations should immediately verify if they are using the Pricing Tables WordPress Plugin – Easy Pricing Tables and identify the version in use. Since no official patch links are provided yet, administrators should monitor vendor announcements for updates or patches addressing CVE-2024-8871. In the interim, applying Web Application Firewall (WAF) rules to detect and block suspicious URL parameters containing script payloads can reduce risk. Site administrators should enforce Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Educating users about the risks of clicking unsolicited or suspicious links can help mitigate exploitation via social engineering. Additionally, reviewing and hardening user privileges on WordPress sites limits the damage potential if an attacker gains access. Developers maintaining custom code interacting with add_query_arg should ensure proper escaping and sanitization of inputs using WordPress security functions such as esc_url or esc_html. Regular security scanning and monitoring for anomalous activities related to this plugin are recommended.