Unauthenticated Cross-Site Scripting Vulnerability in WordPress
CVE-2024-8734

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Lucas String Replace
Vendor: CVE Published:; 13 September 2024

Summary

The Lucas String Replace plugin for WordPress exhibits a vulnerability stemming from the use of the add_query_arg function without sufficient URL escaping in all versions up to and including 2.0.5. This security flaw enables unauthorized attackers to execute arbitrary web scripts on affected pages. By deceiving a user into performing a seemingly benign action, such as clicking on a crafted link, an attacker can leverage this vulnerability to execute malicious scripts in the context of the user's session, potentially leading to session hijacking or other malicious activities.

Affected Version(s)

Lucas String Replace * <= 2.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/lucas-string-r...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 13, 2024
Vulnerability Reserved
Sep 11, 2024

Credit

Dale Mavers