Stored Cross-Site Scripting Vulnerability in WordPress Plugin
CVE-2024-8917

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: AnWP Football Leagues
Vendor: CVE Published:; 25 September 2024

What is CVE-2024-8917?

The AnWP Football Leagues plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability via SVG file uploads, primarily due to the lack of proper input sanitization and output escaping in versions up to 0.16.7. This vulnerability allows authenticated users with Author-level access or higher to inject malicious web scripts into the pages hosting the SVG files. As a result, whenever a user accesses these SVG files, the injected scripts execute, potentially compromising the security and integrity of user sessions and data.

Affected Version(s)

AnWP Football Leagues * <= 0.16.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/football-leagu...

https://wordpress.org/plugins/football-leagues-by-anwppro...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2024
Vulnerability Reserved
Sep 16, 2024

Credit

Francesco Carlucci