FloristPress Vulnerable to Cross-site Scripting
CVE-2024-54347

7.1HIGH

Key Information:

Vendor: WordPress
Status: Floristpress
Vendor: CVE Published:; 13 December 2024

Summary

The vulnerability in FloristPress, a web application developed by BAKKBONE Australia, is a reflected Cross-site Scripting (XSS) flaw. This issue arises from improper handling of user inputs during the generation of web pages. Attackers can exploit this vulnerability by injecting malicious scripts into web pages, which can then be executed in the context of the user's browser. As a result, unauthorized actions may be taken on behalf of the user. Affected versions include FloristPress from an unspecified version up to 7.2.0, highlighting the importance of implementing effective input validation and sanitization measures to mitigate the risk of XSS attacks.

Affected Version(s)

FloristPress <= 7.2.0

References

https://patchstack.com/database/wordpress/plugin/bakkbone...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Dec 2, 2024

Credit

thiennv (Patchstack Alliance)