Reflected Cross-Site Scripting Vulnerability in Bitcoin Lightning Publisher for WordPress
CVE-2024-12100

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Bitcoin Lightning Publisher For WordPress
Vendor: CVE Published:; 24 December 2024

What is CVE-2024-12100?

The Bitcoin Lightning Publisher plugin for WordPress is affected by a reflected cross-site scripting (XSS) vulnerability. This issue arises from improper handling of URL parameters due to the use of the add_query_arg function without adequate escaping. Attackers, unable to authenticate, can exploit this vulnerability by tricking users into clicking a malicious link, thereby allowing the injection of arbitrary web scripts into web pages. Successful exploitation could enable attackers to perform actions on behalf of the user or access sensitive information, thereby compromising the security of the affected WordPress sites.

Affected Version(s)

Bitcoin Lightning Publisher for WordPress 0 <= 1.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bitcoin-lightn...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Dec 3, 2024

Credit

Jude Nwadinobi

CVE-2024-12100 Data

JSON