The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Configurations
History
19 Sep 2024, 22:13
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/auxin-portfolio/trunk/includes/elements/recent-portfolios.php - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/4475cbd4-07cf-499a-a11a-b63eb9184568?source=cve - Third Party Advisory | |
CPE | cpe:2.3:a:averta:auxinportfolio:*:*:*:*:*:wordpress:*:* | |
First Time |
Averta
Averta auxinportfolio |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
Summary |
|
29 Aug 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-29 13:15
Updated : 2024-09-19 22:13
NVD link : CVE-2024-1384
Mitre link : CVE-2024-1384
CVE.ORG link : CVE-2024-1384
JSON object : View
Products Affected
averta
- auxinportfolio
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')