Reflected Cross-Site Scripting Vulnerability in Competition Form Plugin for WordPress
CVE-2024-12749
7.1HIGH
Key Information:
- Vendor
- WordPress
- Status
- Vendor
- CVE Published:
- 29 January 2025
Badges
πΎ Exploit Existsπ‘ Public PoC
Summary
The Competition Form plugin for WordPress, in versions up to 2.0, suffers from a vulnerability that allows reflected cross-site scripting due to improper sanitization and escaping of user-supplied parameters. This flaw can be exploited by malicious users to inject arbitrary scripts, particularly targeting high-privilege users like administrators, potentially compromising sensitive data and site integrity.
Affected Version(s)
Competition Form 0 <= 2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Credit
Hassan Khan Yusufzai - Splint3r7
WPScan