CVE-2024-9211 is a reflected cross-site scripting (XSS) vulnerability identified in the FULL – Cliente plugin for WordPress, present in all versions up to and including 3.1.22. The vulnerability stems from the plugin's use of WordPress functions add_query_arg and remove_query_arg to manipulate URL query parameters without proper escaping or sanitization. This improper neutralization of input (classified under CWE-79) allows attackers to craft malicious URLs that, when visited by unsuspecting users, execute arbitrary JavaScript in the victim's browser context. Because the vulnerability is reflected, the malicious payload is embedded in the URL and reflected back in the web page response. The attack vector requires no authentication (AV:N), has low attack complexity (AC:L), and requires user interaction (UI:R) such as clicking a malicious link. The scope is changed (S:C) because the vulnerability can affect the confidentiality and integrity of user data across security boundaries. The CVSS v3.1 base score is 6.1, reflecting medium severity with partial impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability poses risks such as session hijacking, credential theft, or unauthorized actions performed on behalf of the user if exploited successfully. The plugin’s widespread use in WordPress sites makes this a relevant threat for many web-facing applications.

The primary impact of CVE-2024-9211 is on the confidentiality and integrity of user sessions and data on websites using the FULL – Cliente WordPress plugin. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate users or administrators, potentially leading to unauthorized access or privilege escalation. Attackers may also manipulate the user interface or perform actions on behalf of users, undermining trust and potentially causing reputational damage. While availability is not directly affected, the indirect consequences of compromised accounts or data leakage can be severe. Organizations relying on this plugin for customer-facing or internal WordPress sites face increased risk of targeted phishing or social engineering attacks leveraging the XSS vulnerability. The lack of authentication requirement and ease of exploitation via crafted URLs increase the threat level, especially for sites with high user interaction or sensitive data. The vulnerability could also be leveraged as part of multi-stage attacks or combined with other vulnerabilities to escalate impact.

To mitigate CVE-2024-9211, organizations should first check for official patches or updates from the FULL – Cliente plugin developers and apply them promptly once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on all URL parameters manipulated by add_query_arg and remove_query_arg functions, ensuring proper escaping of user-supplied data before rendering it in HTML contexts. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting the plugin’s URL parameters can provide interim protection. Site owners should also educate users about the risks of clicking suspicious links and consider implementing Content Security Policy (CSP) headers to restrict script execution sources. Regular security audits and monitoring for unusual user activity or error logs related to the plugin can help detect attempted exploitation. Finally, consider disabling or replacing the plugin if it is not essential or if no timely fix is available.