Unauthenticated Cross-Site Scripting Vulnerability in WordPress
CVE-2024-8734

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Lucas String Replace
Vendor: CVE Published:; 13 September 2024

What is CVE-2024-8734?

The Lucas String Replace plugin for WordPress exhibits a vulnerability stemming from the use of the add_query_arg function without sufficient URL escaping in all versions up to and including 2.0.5. This security flaw enables unauthorized attackers to execute arbitrary web scripts on affected pages. By deceiving a user into performing a seemingly benign action, such as clicking on a crafted link, an attacker can leverage this vulnerability to execute malicious scripts in the context of the user's session, potentially leading to session hijacking or other malicious activities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Lucas String Replace * <= 2.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/lucas-string-r...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 13, 2024
Vulnerability Reserved
Sep 11, 2024

Credit

Dale Mavers

JSON

Wordpress