WP ERP HR Solution Vulnerable to Stored Cross-Site Scripting
CVE-2024-0609
7.2HIGH
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 29 March 2024
Summary
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress experiences a vulnerability related to Stored Cross-Site Scripting. This issue arises from inadequate input sanitization and output escaping in the 'api_key' parameter. Attackers without authentication can exploit this vulnerability to inject arbitrary web scripts into pages. The injected scripts will execute for any user who visits the affected page, potentially compromising the integrity of user data and the overall security of the website.
Affected Version(s)
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting * <= 1.12.9
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Krzysztof Zając