The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
History

Thu, 26 Sep 2024 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Seedprod
Seedprod rafflepress
Weaknesses CWE-79
CPEs cpe:2.3:a:seedprod:rafflepress:*:*:*:*:*:wordpress:*:*
Vendors & Products Seedprod
Seedprod rafflepress

Thu, 12 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Rafflepress
Rafflepress giveaways And Contests By Rafflepress
CPEs cpe:2.3:a:rafflepress:giveaways_and_contests_by_rafflepress:*:*:*:*:*:wordpress:*:*
Vendors & Products Rafflepress
Rafflepress giveaways And Contests By Rafflepress
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 12 Sep 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Title Giveaways and Contests by RafflePress < 1.12.16 - Editor+ Stored XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-09-12T06:00:04.189Z

Updated: 2024-09-12T18:30:05.435Z

Reserved: 2024-07-18T19:01:31.012Z

Link: CVE-2024-6887

cve-icon Vulnrichment

Updated: 2024-09-12T18:29:27.959Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-12T06:15:24.293

Modified: 2024-09-26T20:38:26.743

Link: CVE-2024-6887

cve-icon Redhat

No data.