Cross-Site Scripting Vulnerability in Subscribe to Comments Plugin
CVE-2024-8792
6.1MEDIUM
What is CVE-2024-8792?
The Subscribe to Comments plugin in WordPress is exposed to a Reflected Cross-Site Scripting vulnerability. Due to the improper handling of URL parameters using add_query_arg without adequate escaping, this issue affects all versions up to and including 2.3. Attackers, who do not require authentication, can exploit this weakness to inject arbitrary web scripts into pages. When users are deceived into clicking a malicious link, these scripts can be executed in their browsers, potentially compromising user sessions and sensitive data. Website owners are urged to update the plugin to mitigate this risk and ensure users' safety.
Affected Version(s)
Subscribe to Comments * <= 2.3