CarDealerPress vulnerable to Reflected XSS via Improper Neutralization of Input During Web Page Generation
CVE-2024-54325

7.1HIGH

Key Information:

Vendor: WordPress
Status: Cardealerpress
Vendor: CVE Published:; 13 December 2024

What is CVE-2024-54325?

A cross-site scripting (XSS) vulnerability has been identified in the DealerTrend CarDealerPress plugin, specifically allowing attackers to inject malicious scripts through reflected inputs. This issue poses risks to user data and web integrity. The vulnerability affects versions of CarDealerPress from non-applicable through 6.6.2410.02, enabling an attacker to exploit this flaw by tricking users into loading a URL that contains the XSS payload. It’s critical for users of affected versions to implement corrective measures as soon as possible to mitigate risks associated with this vulnerability.

Affected Version(s)

CarDealerPress <= 6.6.2410.02

References

https://patchstack.com/database/wordpress/plugin/cardeale...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Dec 2, 2024

Credit

Mika (Patchstack Alliance)