Reflected Cross-Site Scripting Vulnerability in Back to Top Button plugin
CVE-2024-8741

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Beam Me Up Scotty
Vendor: CVE Published:; 25 September 2024

Summary

The Beam me up Scotty – Back to Top Button plugin for WordPress has a vulnerability that allows for Reflected Cross-Site Scripting (XSS). This flaw arises from the improper handling of the add_query_arg function, which compromises URL parameters by failing to escape them correctly. As a result, unauthenticated attackers can leverage this vulnerability to inject arbitrary web scripts into pages viewed by users. This situation often requires the attacker to deceive the user into clicking a specially crafted link, which triggers the execution of malicious scripts in the user’s browser, leading to potential data theft or session hijacking.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/beam-me-up-sco...

https://plugins.trac.wordpress.org/changeset/3156146/beam...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 25, 2024