The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
History

Fri, 27 Sep 2024 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Seanschulte
Seanschulte vikinghammer Tweet
Weaknesses CWE-352
CPEs cpe:2.3:a:seanschulte:vikinghammer_tweet:*:*:*:*:*:wordpress:*:*
Vendors & Products Seanschulte
Seanschulte vikinghammer Tweet

Tue, 17 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress Plugin
Wordpress Plugin vikinghammer Tweet
CPEs cpe:2.3:a:wordpress_plugin:vikinghammer_tweet:*:*:*:*:*:*:*:*
Vendors & Products Wordpress Plugin
Wordpress Plugin vikinghammer Tweet
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 17 Sep 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
Title Vikinghammer Tweet <= 0.2.4 - Stored XSS via CSRF
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-09-17T06:00:03.699Z

Updated: 2024-09-17T14:42:45.857Z

Reserved: 2024-08-21T15:46:44.890Z

Link: CVE-2024-8043

cve-icon Vulnrichment

Updated: 2024-09-17T14:40:59.090Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-17T06:15:02.467

Modified: 2024-09-27T18:22:43.967

Link: CVE-2024-8043

cve-icon Redhat

No data.