Stored Cross-Site Scripting Vulnerability in RumbleTalk Live Group Chat
CVE-2024-8720

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Rumbletalk Live Group Chat – Html5
Vendor: CVE Published:; 1 October 2024

Summary

The RumbleTalk Live Group Chat plugin for WordPress is vulnerable to stored cross-site scripting (XSS) through its 'rumbletalk-admin-button' shortcode, affecting all versions up to and including 6.3.0. This vulnerability arises from inadequate input sanitization and output escaping of user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject malicious web scripts into pages. When users access these compromised pages, the injected scripts execute, posing significant risks to user data and site integrity.

Affected Version(s)

RumbleTalk Live Group Chat – HTML5 * <= 6.3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/rumbletalk-cha...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Sep 11, 2024

Credit

Matthew Rollings

Youcef Hamdani