CVE-2024-8759 – The Nested Pages WordPress plugin before versio... (How to Fix)

Q: What is the severity of CVE-2024-8759?

CVE-2024-8759 has a CVSS score of 4.8 (MEDIUM). The Nested Pages WordPress plugin before version 3.2.9 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. Only WordPress sites using vulnerable versions of the Nested Pages plugin are affected.

📋 TL;DR

The Nested Pages WordPress plugin before version 3.2.9 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. Only WordPress sites using vulnerable versions of the Nested Pages plugin are affected.

💻 Affected Systems

Products:

Nested Pages WordPress Plugin

Versions: All versions before 3.2.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Nested Pages plugin. Vulnerability only exploitable by users with admin-level privileges.

📦 What is this software?

Nested Pages by Kylephillips

View all CVEs affecting Nested Pages →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.

🟠

Likely Case

Malicious admin or compromised admin account injects tracking scripts, defaces content, or steals lower-privileged user sessions.

🟢

If Mitigated

With proper access controls and admin account security, impact is limited to potential content defacement within the plugin's settings interface.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access. Attack is straightforward once authenticated as admin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.9

Vendor Advisory: https://wpscan.com/vulnerability/3dd41ecb-d0dc-4c23-9e5b-b1f7fbaaddfd/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Nested Pages plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.2.9+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Nested Pages Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate nested-pages

Restrict Admin Access

all

Implement strict access controls and monitoring for admin accounts

🧯 If You Can't Patch

Remove admin privileges from untrusted users and implement principle of least privilege
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Nested Pages version. If version is below 3.2.9, system is vulnerable.

Check Version:

wp plugin get nested-pages --field=version

Verify Fix Applied:

Verify Nested Pages plugin version is 3.2.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying Nested Pages settings
JavaScript payloads in plugin settings fields

Network Indicators:

Unexpected external script loads from WordPress admin pages

SIEM Query:

source="wordpress" AND (event="plugin_edit" OR event="settings_save") AND plugin="nested-pages" AND version<"3.2.9"

📊 Metadata

CVE ID: CVE-2024-8759

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.8th percentile)

Published: May 15, 2025

Last Updated: June 12, 2025

🔗 References

https://wpscan.com/vulnerability/3dd41ecb-d0dc-4c23-9e5b-b1f7fbaaddfd/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8759, you might also want to check these: