WordPress Plugins Vulnerable to Reflected Cross-Site Scripting
CVE-2024-11202

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Cm WordPress Search And Replace Plugin; Video Lessons Manager – WordPress Lms Plugin; Cm Tooltip Glossary; Cm Pop-up Banners For WordPress
Vendor: CVE Published:; 26 November 2024

Summary

Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affected Version(s)

CM Business Directory Plugin – Business Listing Directory * <= 1.4.1

CM Header & Footer Script Loader – Insert Script Plugin * <= 1.2.1

CM Pop-Up Banners for WordPress * <= 1.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cm-pop-up-bann...

https://wordpress.org/plugins/cm-pop-up-banners/#developers

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 14, 2024

Credit

Peter Thaleikis