Cross-Site Scripting Vulnerability in WordPress Plugin by Send Email Only on Reply to My Comment
CVE-2024-6224
Summary
The Send Email Only on Reply to My Comment WordPress plugin version 1.0.6 is susceptible to vulnerabilities that can be exploited by malicious actors. The plugin lacks cross-site request forgery (CSRF) protection in several scenarios, allowing unauthorized actions to be performed without user consent. Additionally, it suffers from insufficient input sanitization and escaping, which opens the door to stored Cross-Site Scripting (XSS) attacks. An attacker could potentially exploit these weaknesses to inject malicious scripts into the admin area, leading to unauthorized access and the possibility of further compromises within the WordPress site.
Affected Version(s)
Send email only on Reply to My Comment 0 <= 1.0.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved