Unauthenticated Stored Cross-Site Scripting Vulnerability in SendPulse Free Web Push Plugin for WordPress
CVE-2024-9184
7.2HIGH
What is CVE-2024-9184?
The SendPulse Free Web Push plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 1.3.6. This vulnerability arises from the incorrect implementation of the wp_kses_allowed_html function, enabling unauthenticated attackers to inject arbitrary web scripts into pages. These scripts can be executed whenever users access the affected pages, potentially compromising user data and security.
Affected Version(s)
SendPulse Free Web Push * <= 1.3.6