Cross-Site Scripting Vulnerability in Garden Gnome Package for WordPress
CVE-2024-8657

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Garden Gnome Package
Vendor: CVE Published:; 24 September 2024

Summary

The Garden Gnome Package plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by insufficient sanitization and escaping of user-supplied attributes within the plugin's ggpkg shortcode. This vulnerability allows authenticated attackers, including those with contributor-level access and above, to inject arbitrary scripts into web pages. The injected scripts are executed in the browser of any user who visits the affected page, potentially leading to unauthorized data manipulation or exposure.

Affected Version(s)

Garden Gnome Package * <= 2.2.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/garden-gnome-p...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 24, 2024
Vulnerability Reserved
Sep 10, 2024

Credit

Rein Daelman