Stored Cross-Site Scripting Vulnerability in Embed Twine Plugin for WordPress
CVE-2024-12509

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Embed Twine
Vendor: CVE Published:; 20 December 2024

What is CVE-2024-12509?

The Embed Twine plugin for WordPress exhibits a critical vulnerability, CVE-2024-12509, characterized by Stored Cross-Site Scripting (XSS). This vulnerability arises from insufficient input sanitization and output escaping when handling the 'embed_twine' shortcode. Authenticated users with contributor-level access and higher can exploit this flaw to inject arbitrary web scripts into web pages. As a result, these malicious scripts are executed whenever a visitor loads the compromised content, potentially leading to unauthorized actions and access breaches. Users are urged to update or mitigate risks associated with the vulnerable versions of the Embed Twine plugin.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Embed Twine * <= 0.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/embed-twine/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2024
Vulnerability Reserved
Dec 11, 2024

Credit

SOPROBRO

JSON

WordPress