Stored Cross-Site Scripting Vulnerability in Traffic Manager for WordPress
CVE-2024-7485

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Traffic Manager
Vendor: CVE Published:; 6 August 2024

What is CVE-2024-7485?

The Traffic Manager plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) flaw through the 'page' parameter in the 'UserWebStat' AJAX function. This vulnerability arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to insert malicious web scripts. When users subsequently access a page tainted by this injection, the scripts will execute, potentially leading to unauthorized actions or data exposure. It is critical for users of all versions up to and including 1.4.5 to take immediate action to mitigate this risk.

Affected Version(s)

Traffic Manager * <= 1.4.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/traffic-manage...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2024
Vulnerability Reserved
Aug 5, 2024

Credit

István Márton