Stored Cross-Site Scripting Vulnerability in WordPress Plugin
CVE-2024-8917

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: AnWP Football Leagues
Vendor: CVE Published:; 25 September 2024

What is CVE-2024-8917?

The AnWP Football Leagues plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability via SVG file uploads, primarily due to the lack of proper input sanitization and output escaping in versions up to 0.16.7. This vulnerability allows authenticated users with Author-level access or higher to inject malicious web scripts into the pages hosting the SVG files. As a result, whenever a user accesses these SVG files, the injected scripts execute, potentially compromising the security and integrity of user sessions and data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

AnWP Football Leagues * <= 0.16.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/football-leagu...

https://wordpress.org/plugins/football-leagues-by-anwppro...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 25, 2024
Vulnerability Reserved
Sep 16, 2024

Credit

Francesco Carlucci

JSON

Wordpress