Unsecured URL Injection Vulnerability in Ashe Theme (maximum severity rating: 7.5)
CVE-2024-9777

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Ashe
Vendor: CVE Published:; 19 November 2024

Summary

The Ashe theme for WordPress has a vulnerability that allows for Reflected Cross-Site Scripting due to improper handling of URLs using the add_query_arg function without necessary escaping. This issue impacts all versions up to and including 2.243. Attackers can exploit this vulnerability to inject arbitrary JavaScript payloads into web pages, which may execute when a user is tricked into clicking on a malicious link. This can lead to session hijacking, phishing attacks, and other malicious activities, highlighting the importance of updates and secure coding practices.

Affected Version(s)

Ashe * <= 2.243

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/themes/ashe/

https://themes.trac.wordpress.org/browser/ashe/2.242/func...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 19, 2024
Vulnerability Reserved
Oct 9, 2024

Credit

Dale Mavers