CVE-2024-37471 – This CVE describes a reflected cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2024-37471?

CVE-2024-37471 has a CVSS score of 7.1 (HIGH). This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Woffice Core WordPress plugin. Attackers can inject malicious scripts via crafted URLs that execute when victims visit those links. All WordPress sites using Woffice Core versions up to 5.4.8 are affected.

📋 TL;DR

This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Woffice Core WordPress plugin. Attackers can inject malicious scripts via crafted URLs that execute when victims visit those links. All WordPress sites using Woffice Core versions up to 5.4.8 are affected.

💻 Affected Systems

Products:

Woffice Core WordPress Plugin

Versions: All versions up to and including 5.4.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Woffice Core plugin enabled. The vulnerability is site-wide, affecting all pages using the plugin.

📦 What is this software?

Woffice by Xtendify

View all CVEs affecting Woffice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface websites.

🟠

Likely Case

Attackers craft phishing emails with malicious links that execute scripts in victims' browsers, potentially stealing session tokens or credentials.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are commonly exploited via phishing campaigns. No public proof-of-concept was found in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 5.4.8

Vendor Advisory: https://patchstack.com/database/vulnerability/woffice-core/wordpress-woffice-core-plugin-5-4-8-site-wide-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Woffice Core and click 'Update Now'. 4. Verify the plugin version is above 5.4.8.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to block malicious requests.

Disable Plugin

all

Temporarily disable the Woffice Core plugin until patched.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution sources.
Use browser security features like HttpOnly and Secure flags for cookies to limit impact.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Woffice Core version. If version is 5.4.8 or lower, the system is vulnerable.

Check Version:

wp plugin list --name=woffice-core --field=version

Verify Fix Applied:

After updating, verify the plugin version is above 5.4.8 in the WordPress plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests with script tags or JavaScript in query parameters
Multiple 400/403 errors from WAF blocking XSS attempts

Network Indicators:

HTTP requests containing <script>, javascript:, or encoded payloads in URLs

SIEM Query:

source="web_server_logs" AND (uri="*<script>*" OR uri="*javascript:*" OR uri="*%3Cscript%3E*")

📊 Metadata

CVE ID: CVE-2024-37471

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: July 4, 2024

Last Updated: January 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37471, you might also want to check these: