Reflected Cross-Site Scripting Vulnerability in Feedify Web Push Notifications Plugin for WordPress
CVE-2024-11811

6.1MEDIUM

Key Information:

Vendor: Wordpress
Vendor: CVE Published:; 20 December 2024

Summary

The Feedify Web Push Notifications plugin for WordPress is susceptible to a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.4.2. This vulnerability arises due to inadequate input sanitization and improper output escaping on the parameters 'platform', 'phone', 'email', and 'store_url'. Attackers can exploit this vulnerability to inject malicious scripts into web pages, posing a risk to users who are deceived into clicking on harmful links. An attacker can execute arbitrary code in the context of a user's browser, potentially leading to session hijacking, data theft, or further compromise of the website.

References

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://www.wordfence.com/threat-intel/vulnerabilities/id...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2024