Stored Cross-Site Scripting Vulnerability in wccp-pro WordPress Plugin
CVE-2024-6693
Key Information:
Badges
What is CVE-2024-6693?
The wccp-pro WordPress plugin versions prior to 15.3 suffer from a vulnerability that fails to adequately sanitize and escape certain settings. This oversight enables high privilege users, including administrators, to execute Stored Cross-Site Scripting attacks. These attacks can occur even when the unfiltered_html capability is disabled, making it particularly dangerous in multisite configurations. Website administrators must take immediate action to review their plugin version and safeguard against potential exploitation.
Affected Version(s)
wccp-pro 0 < 15.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved