CVE-2024-8747

The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email-obfuscate' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:khromov:email_obfuscate_shortcode:*:*:*:*:*:wordpress:*:*

History

26 Sep 2024, 19:23

Type Values Removed Values Added
First Time Khromov email Obfuscate Shortcode
Khromov
CPE cpe:2.3:a:khromov:email_obfuscate_shortcode:*:*:*:*:*:wordpress:*:*
References () https://wordpress.org/plugins/email-obfuscate-shortcode/ - () https://wordpress.org/plugins/email-obfuscate-shortcode/ - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/77bed6ce-84e7-4b71-8acd-bb5b73e362d2?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/77bed6ce-84e7-4b71-8acd-bb5b73e362d2?source=cve - Third Party Advisory
Summary
  • (es) El complemento Email Ofuscate Shortcode para WordPress es vulnerable a la ejecución de Cross-site Scripting Almacenado a través del código abreviado 'email-obfuscate' del complemento en todas las versiones hasta la 2.0 incluida, debido a una desinfección de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4

13 Sep 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-13 15:15

Updated : 2024-09-26 19:23


NVD link : CVE-2024-8747

Mitre link : CVE-2024-8747

CVE.ORG link : CVE-2024-8747


JSON object : View

Products Affected

khromov

  • email_obfuscate_shortcode
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')