BulkPress Plugin Vulnerable to Reflected Cross-Site Scripting
CVE-2024-9615

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Bulkpress
Vendor: CVE Published:; 16 November 2024

Summary

The BulkPress plugin for WordPress presents a vulnerability that can be exploited via reflected cross-site scripting due to improper handling of URL parameters. The use of the 'add_query_arg' function without adequate escaping allows unauthenticated attackers to inject arbitrary scripts into web pages. This injection occurs when victims are deceived into clicking on malicious links, leading to the execution of unwanted scripts within their browsers. Users and administrators of the BulkPress plugin should take immediate measures to patch their installations to mitigate the potential risk.

Affected Version(s)

BulkPress * <= 0.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bulkpress/trun...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 16, 2024
Vulnerability Reserved
Oct 7, 2024

Credit

Dale Mavers