Stored Cross-Site Scripting Vulnerability in WordPress Plugin
CVE-2024-8722
5.5MEDIUM
Summary
The Import any XML or CSV File to WordPress PRO plugin is susceptible to Stored Cross-Site Scripting through SVG file uploads, due to inadequate input sanitization and output escaping. Authenticated attackers with Administrator access can exploit this vulnerability to inject malicious web scripts into pages, which execute whenever users access the compromised SVG files. This risk underscores the importance of implementing robust security measures and ensuring prompt updates to protect against potential exploits.
Affected Version(s)
WP All Import Pro * <= 4.9.7
References
CVSS V3.1
Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Francesco Carlucci