Attack Vectors

ARPrice – WordPress Pricing Table Plugin (slug: arprice) is affected by a Medium-severity reflected cross-site scripting (XSS) vulnerability (CVE-2024-49700, CVSS 6.1).

The primary attack path is link-based social engineering: an unauthenticated attacker can craft a URL containing malicious script and attempt to get a staff member (marketing, finance, leadership, or compliance) to click it via email, chat, social media messages, or a spoofed internal request. Because this is reflected XSS, the script executes in the victim’s browser when the link is opened, rather than being permanently stored on your site.

Security Weakness

CVE-2024-49700 is caused by insufficient input sanitization and output escaping in ARPrice – WordPress Pricing Table Plugin in versions up to and including 4.1.3. In practical terms, this means certain user-supplied data can be returned to a page in a way that allows a browser to interpret it as active code.

The vulnerability does not require authentication (per the CVSS vector: PR:N), but it does require user interaction (UI:R)—typically a click on a malicious link.

Technical or Business Impacts

While rated Medium, reflected XSS can still create meaningful business risk—especially for organizations where WordPress supports revenue, lead generation, or brand credibility. Potential impacts include session hijacking or account misuse (for example, if a logged-in user clicks a malicious link), unauthorized actions performed in the user’s browser, and exposure of limited sensitive information visible within the affected context (consistent with the CVSS impacts: C:L/I:L/A:N).

From a leadership and compliance perspective, outcomes can include brand damage (if users perceive your site as unsafe), marketing performance disruption (tampered landing-page behavior, misdirected traffic, broken analytics assumptions), and operational cost for incident response and stakeholder communications. Risk increases if staff commonly work while logged into WordPress admin, use shared devices, or have elevated privileges.

Recommended remediation: update ARPrice – WordPress Pricing Table Plugin to version 4.2 or a newer patched release. Reference: CVE-2024-49700 and Wordfence advisory.