The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
History

Fri, 27 Sep 2024 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Wp-master
Wp-master logo Manager For Enamad
Weaknesses CWE-79
CPEs cpe:2.3:a:wp-master:logo_manager_for_enamad:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp-master
Wp-master logo Manager For Enamad

Tue, 17 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Logo Manager For Enamad
Logo Manager For Enamad logo Manager For Enamad
CPEs cpe:2.3:a:logo_manager_for_enamad:logo_manager_for_enamad:0.7.0:*:*:*:*:*:*:*
Vendors & Products Logo Manager For Enamad
Logo Manager For Enamad logo Manager For Enamad
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 17 Sep 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Title Logo Manager For Enamad <= 0.7.1 - Admin+ Stored XSS via Widget
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-09-17T06:00:02.039Z

Updated: 2024-09-17T14:52:48.958Z

Reserved: 2024-05-21T12:32:50.905Z

Link: CVE-2024-5170

cve-icon Vulnrichment

Updated: 2024-09-17T14:49:22.713Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-17T06:15:02.310

Modified: 2024-09-27T18:23:43.833

Link: CVE-2024-5170

cve-icon Redhat

No data.