Cross-Site Scripting Vulnerability in Subscribe to Comments Plugin
CVE-2024-8792

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Subscribe To Comments
Vendor: CVE Published:; 30 October 2024

What is CVE-2024-8792?

The Subscribe to Comments plugin in WordPress is exposed to a Reflected Cross-Site Scripting vulnerability. Due to the improper handling of URL parameters using add_query_arg without adequate escaping, this issue affects all versions up to and including 2.3. Attackers, who do not require authentication, can exploit this weakness to inject arbitrary web scripts into pages. When users are deceived into clicking a malicious link, these scripts can be executed in their browsers, potentially compromising user sessions and sensitive data. Website owners are urged to update the plugin to mitigate this risk and ensure users' safety.

Affected Version(s)

Subscribe to Comments * <= 2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/subscribe-to-c...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Sep 13, 2024

Credit

Dale Mavers