CVE-2024-9378 is a reflected cross-site scripting (XSS) vulnerability identified in the YML for Yandex Market plugin for WordPress, developed by icopydoc. This vulnerability affects all versions up to and including 4.7.2. The root cause is insufficient sanitization and escaping of the 'page' parameter in HTTP requests, which is used during web page generation. An unauthenticated attacker can craft a malicious URL containing a script payload in the 'page' parameter. When a victim clicks this URL, the injected script executes in the context of the victim's browser, potentially allowing theft of cookies, session tokens, or performing unauthorized actions on behalf of the user. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, meaning it is remotely exploitable over the network without privileges but requires user interaction and results in partial confidentiality and integrity impact with no availability impact. No patches or fixes are currently linked, and no exploits have been observed in the wild. The vulnerability is significant for websites using this plugin to integrate Yandex Market feeds, especially those with high user interaction and e-commerce transactions.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity. Attackers can steal session cookies or authentication tokens, leading to account hijacking or unauthorized actions within the affected website. This can result in data leakage, fraudulent transactions, or defacement of web content. Since the vulnerability is reflected XSS, it requires social engineering to lure users into clicking malicious links, which can be distributed via email, social media, or other channels. The scope includes any WordPress site using the vulnerable YML for Yandex Market plugin, which may be significant in regions where Yandex Market is popular. Although availability is not impacted, the reputational damage and potential regulatory consequences from data breaches can be severe. The lack of authentication requirement increases the attack surface, making it accessible to a wide range of attackers. Organizations relying on this plugin for e-commerce or product listing integrations face risks of customer trust erosion and financial losses.

Immediate mitigation should focus on updating the YML for Yandex Market plugin to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on the 'page' parameter to neutralize malicious scripts. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting this parameter can reduce risk. Additionally, enabling Content Security Policy (CSP) headers can limit the execution of unauthorized scripts. Site owners should educate users about the risks of clicking suspicious links and monitor logs for unusual URL patterns. Regular security audits and scanning for XSS vulnerabilities in plugins are recommended. Disabling or removing the plugin temporarily may be necessary if no immediate fix is available and risk is high. Finally, ensure WordPress core and all plugins are kept up to date to minimize exposure to known vulnerabilities.