Stored Cross-Site Scripting Vulnerability in Loan Comparison Plugin for WordPress
CVE-2024-12814

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Loan Comparison
Vendor: CVE Published:; 24 December 2024

Summary

The Loan Comparison Plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting via its 'loancomparison' shortcode in all versions up to and including 2.0. Due to inadequate input sanitization and output escaping for attributes supplied by users, authenticated attackers with contributor-level access or above can inject arbitrary scripts into the pages. This injected code can then execute whenever a user accesses the affected pages, potentially compromising user data and site integrity. Site administrators should take immediate action to upgrade to the latest version to mitigate this vulnerability and enhance overall site security.

Affected Version(s)

Loan Comparison * <= 2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=/lo...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Dec 19, 2024

Credit

SOPROBRO