Stored Cross-Site Scripting Vulnerability in Twitch Integration Plugin for WordPress
CVE-2024-9897

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Streamweasels Twitch Integration
Vendor: CVE Published:; 19 October 2024

Summary

The StreamWeasels Twitch Integration plugin for WordPress exhibits a vulnerability that permits Stored Cross-Site Scripting (XSS) via its sw-twitch-embed shortcode. This flaw stems from inadequate input sanitization and output escaping for user-supplied attributes. As a result, authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into any page that users access. When an affected page is visited, the malicious scripts execute, posing significant security risks to site visitors and potentially compromising their information.

Affected Version(s)

StreamWeasels Twitch Integration * <= 1.8.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/streamweasels-twitch-integr...

https://plugins.trac.wordpress.org/browser/streamweasels-...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 19, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

Peter Thaleikis