Cross-Site Scripting Vulnerability in WordPress Plugin by Send Email Only on Reply to My Comment
CVE-2024-6224

Currently unrated

Key Information:

Vendor
Wordpress
Vendor
CVE Published:
30 July 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Send Email Only on Reply to My Comment WordPress plugin version 1.0.6 is susceptible to vulnerabilities that can be exploited by malicious actors. The plugin lacks cross-site request forgery (CSRF) protection in several scenarios, allowing unauthorized actions to be performed without user consent. Additionally, it suffers from insufficient input sanitization and escaping, which opens the door to stored Cross-Site Scripting (XSS) attacks. An attacker could potentially exploit these weaknesses to inject malicious scripts into the admin area, leading to unauthorized access and the possibility of further compromises within the WordPress site.

Affected Version(s)

Send email only on Reply to My Comment 0 <= 1.0.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Bob Matyas
WPScan
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.