Stored Cross-Site Scripting Vulnerability in WordPress Branding Plugin
CVE-2024-9674

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Debrandify · Remove Or Replace WordPress Branding
Vendor: CVE Published:; 18 October 2024

Summary

The Debrandify plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping when processing SVG file uploads. Authenticated attackers with Author-level access or higher can exploit this weakness to inject arbitrary web scripts. These scripts can execute whenever a user interacts with the vulnerable SVG file, potentially leading to unauthorized actions or data exposure. Users of the Debrandify plugin are advised to upgrade to the latest version to mitigate this vulnerability and ensure the security of their WordPress installations.

Affected Version(s)

Debrandify · Remove or Replace WordPress Branding * <= 1.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/debrandify/#developers

https://plugins.trac.wordpress.org/changeset/3170586/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 18, 2024
Vulnerability Reserved
Oct 9, 2024

Credit

Francesco Carlucci