Stored Cross-Site Scripting Vulnerability in Tripetto WordPress Plugin
CVE-2024-10260

7.2HIGH

Key Information:

Vendor: WordPress
Status: WordPress Form Builder Plugin For Contact Forms, Surveys And Quizzes – Tripetto
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-10260?

The Tripetto plugin for WordPress exhibits a vulnerability that allows stored cross-site scripting through file uploads in all versions up to 8.0.3. This issue stems from inadequate input sanitization and output escaping, enabling unauthorized attackers to inject arbitrary scripts into web pages. Consequently, these scripts may execute automatically when users access the uploaded files, potentially compromising their security.

Affected Version(s)

WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto 0 <= 8.0.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/tripetto/trunk/lib/atta...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Oct 22, 2024

Credit

Max Boll

CVE-2024-10260 Data

JSON