Stored Cross-Site Scripting in Twitter Follow Button Plugin for WordPress
CVE-2024-10116

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Firecask’s Twitter Follow Button
Vendor: CVE Published:; 23 November 2024

What is CVE-2024-10116?

The Twitter Follow Button plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the 'username' parameter. This vulnerability allows authenticated users with Contributor-level access and higher to inject malicious web scripts. The injected scripts execute when other users visit the affected pages, potentially leading to information theft and site compromise. Website administrators should prioritize updating to secure versions and review plugin configurations to mitigate this risk.

Affected Version(s)

FireCask’s Twitter Follow Button 0 <= 0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/twitter-follow/#developers

https://plugins.trac.wordpress.org/browser/twitter-follow...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 23, 2024

CVE-2024-10116 Data

JSON