CVE-2024-8965

The Absolute Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Name' field of a custom post criteria in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:codesupply:absolute_reviews:*:*:*:*:*:wordpress:*:*

History

04 Oct 2024, 19:04

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
First Time Codesupply absolute Reviews
Codesupply
References () https://plugins.trac.wordpress.org/changeset/3156409/absolute-reviews - () https://plugins.trac.wordpress.org/changeset/3156409/absolute-reviews - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/12cfebb8-ae89-410b-a492-340f1553e83e?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/12cfebb8-ae89-410b-a492-340f1553e83e?source=cve - Third Party Advisory
CPE cpe:2.3:a:codesupply:absolute_reviews:*:*:*:*:*:wordpress:*:*

30 Sep 2024, 12:46

Type Values Removed Values Added
Summary
  • (es) El complemento Absolute Reviews para WordPress es vulnerable a Cross-Site Scripting almacenado a través del campo "Nombre" de un criterio de publicación personalizado en todas las versiones hasta la 1.1.3 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán siempre que un usuario acceda a una página inyectada.

27 Sep 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-27 06:15

Updated : 2024-10-04 19:04


NVD link : CVE-2024-8965

Mitre link : CVE-2024-8965

CVE.ORG link : CVE-2024-8965


JSON object : View

Products Affected

codesupply

  • absolute_reviews
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')