Cross-Site Scripting Vulnerability in Avatar 3D Creator
CVE-2024-54358

7.1HIGH

Key Information:

Vendor: WordPress
Status: 3d Avatar User Profile
Vendor: CVE Published:; 16 December 2024

Summary

CVE-2024-54358 is a vulnerability found in the Avatar 3D Creator's 3D Avatar User Profile feature, identified as an improper neutralization of input during web page generation, commonly known as a Cross-Site Scripting (XSS) vulnerability. This flaw allows an attacker to inject malicious scripts into web pages viewed by unsuspecting users. Specifically, the reflected XSS can lead to unauthorized actions, data theft, or user impersonation, especially affecting users interacting with the profile features. Users are encouraged to update to the latest version immediately to mitigate risks associated with this exploit.

Affected Version(s)

3D Avatar User Profile <= 1.0.0

References

https://patchstack.com/database/wordpress/plugin/3d-avata...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 16, 2024
Vulnerability Reserved
Dec 2, 2024

Credit

Zlrqh (Patchstack Alliance)