Stored Cross-Site Scripting in Twitter Follow Button Plugin for WordPress
CVE-2024-10116

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Twitter Follow Button
Vendor: CVE Published:; 23 November 2024

Summary

The Twitter Follow Button plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the 'username' parameter. This vulnerability allows authenticated users with Contributor-level access and higher to inject malicious web scripts. The injected scripts execute when other users visit the affected pages, potentially leading to information theft and site compromise. Website administrators should prioritize updating to secure versions and review plugin configurations to mitigate this risk.

References

https://plugins.trac.wordpress.org/browser/twitter-follow...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://wordpress.org/plugins/twitter-follow/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 23, 2024