Reflected XSS Vulnerability in WP Directory Kit Could Lead to Data Theft
CVE-2024-37487

7.1HIGH

Key Information:

Vendor

WordPress
Status
WP Directory Kit
Vendor
CVE Published:
21 July 2024

What is CVE-2024-37487?

The WP Directory Kit plugin for WordPress contains a vulnerability that allows reflected Cross-Site Scripting (XSS) attacks. This occurs due to improper handling of user input during web page generation, potentially enabling attackers to execute malicious scripts in the context of the user’s session. This issue affects WP Directory Kit from its initial release up to version 1.3.5, which can lead to significant security risks if not addressed. Website administrators are strongly advised to update to the latest version and implement additional security measures to mitigate the risk of exploitation.

Affected Version(s)

WP Directory Kit <= 1.3.5

References

https://patchstack.com/database/vulnerability/wpdirectory...
vdb-entry

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dimas Maulana (Patchstack Alliance)
.