Unauthenticated Cross-Site Scripting Vulnerability in LH Copy Media File Plugin for WordPress
CVE-2024-9220

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Lh Copy Media File
Vendor: CVE Published:; 1 October 2024

What is CVE-2024-9220?

The LH Copy Media File plugin utilized in WordPress has a vulnerability that allows for Reflected Cross-Site Scripting (XSS) due to the improper handling of URLs with add_query_arg. This flaw is present in all versions up to and including 1.08. Attackers can exploit this weakness by constructing malicious links that, when clicked by users, can execute arbitrary scripts within their browser context. This exploitation can lead to account compromise, data theft, and further website manipulation if unaddressed, emphasizing the need for timely updates and security measures.

Affected Version(s)

LH Copy Media File * <= 1.08

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/lh-copy-media-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Sep 26, 2024

Credit

Colin Xu