Unauthorized Execution of Arbitrary Web Scripts via User_id Parameter
CVE-2024-10793

6.1MEDIUM

Key Information:

Vendor
Wordpress
Vendor
CVE Published:
15 November 2024

Badges

👾 Exploit Exists

Summary

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.

Affected Version(s)

WP Activity Log * <= 5.2.1

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Mazzolini
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.