Plugin Vulnerability Allows Contributors to Perform Stored XSS Attacks
CVE-2024-2428

Currently unrated

Key Information:

Vendor: Wordpress
Status: The Ultimate Video Player For WordPress
Vendor: CVE Published:; 10 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-2428?

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks

Affected Version(s)

The Ultimate Video Player For WordPress 0 < 2.2.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2428 - Proof of Concept

References

https://wpscan.com/vulnerability/4832e223-4571-4b45-97db-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 10, 2024
👾
Exploit known to exist
Apr 10, 2024
Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Mar 13, 2024

Credit

Dmitrii Ignatyev

WPScan

JSON

Wordpress