CVE-2024-5884

The Beauty theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tpl_featured_cat_id’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:allprices:beauty:*:*:*:*:*:wordpress:*:*

History

26 Sep 2024, 20:13

Type Values Removed Values Added
CPE cpe:2.3:a:allprices:beauty:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
References () https://themes.trac.wordpress.org/browser/beauty/1.1.4/functions.php#L46 - () https://themes.trac.wordpress.org/browser/beauty/1.1.4/functions.php#L46 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c1089958-a481-47b1-9dc6-799a1a7930c8?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c1089958-a481-47b1-9dc6-799a1a7930c8?source=cve - Third Party Advisory
Summary
  • (es) El tema Beauty para WordPress es vulnerable a Cross-site Scripting Almacenado a través del parámetro 'tpl_featured_cat_id' en todas las versiones hasta la 1.1.4 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.
First Time Allprices beauty
Allprices

13 Sep 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-13 15:15

Updated : 2024-09-26 20:13


NVD link : CVE-2024-5884

Mitre link : CVE-2024-5884

CVE.ORG link : CVE-2024-5884


JSON object : View

Products Affected

allprices

  • beauty
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')