Ultimate WordPress Toolkit Vulnerable to Cross-site Scripting Attacks
CVE-2024-47386

7.1HIGH

Key Information:

Vendor: Wordpress
Status: The Ultimate WordPress Toolkit – WP Extended
Vendor: CVE Published:; 5 October 2024

Summary

The vulnerability identified in WP Extended The Ultimate WordPress Toolkit arises from improper neutralization of input during web page generation, leading to a reflected Cross-site Scripting (XSS) issue. Attackers could exploit this flaw by sending a crafted request that may execute arbitrary JavaScript in the browser of an unsuspecting user, potentially compromising user data and gaining unauthorized access to sensitive information. This affects all versions of the product prior to 3.0.8, and it's crucial for users to ensure they are operating on the latest secure version to mitigate risks.

Affected Version(s)

The Ultimate WordPress Toolkit – WP Extended <= 3.0.8

References

https://patchstack.com/database/vulnerability/wpextended/...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Sep 24, 2024

Credit

Le Ngoc Anh (Patchstack Alliance)