Stored Cross-Site Scripting Vulnerability in Logo Showcase Ultimate
CVE-2024-8046

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid
Vendor: CVE Published:; 27 August 2024

Summary

The Logo Showcase Ultimate plugin for WordPress is exposed to a vulnerability that enables Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. This issue arises from the handling of SVG file uploads, which allows an attacker with Author-level access or higher to embed malicious scripts within the SVG files. Such scripts will execute when users access the compromised SVG files, leading to potential security breaches and unauthorized access to user sessions or sensitive data. Website administrators should ensure that they update to the latest version of the plugin and review access controls to mitigate this risk.

Affected Version(s)

Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid * <= 1.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/logo-showcase-...

https://wordpress.org/plugins/logo-showcase-ultimate/#dev...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 27, 2024
Vulnerability Reserved
Aug 21, 2024

Credit

wesley