CVE-2024-56022: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in WordPress Monsters Preloader plugin affecting versions through 1.2.3. The vulnerability was discovered by Muhamad Agil Fachrian and was publicly disclosed on December 17, 2024. This security issue has been assigned CVE-2024-56022 and affects the WordPress plugin Preloader by WordPress Monsters (Patchstack).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It has received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. This creates potential risks for website visitors and could compromise the security of the affected WordPress installations (Patchstack).

Currently, there is no official fix available from the plugin developer. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).