The Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
History

Mon, 07 Oct 2024 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 01 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web slider
CPEs cpe:2.3:a:10web:slider:*:*:*:*:*:wordpress:*:*
Vendors & Products 10web
10web slider
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 30 Sep 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Slider by 10Web < 1.2.59 - Admin+ Stored XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-09-30T06:00:06.824Z

Updated: 2024-10-01T14:08:52.155Z

Reserved: 2024-08-28T19:00:51.476Z

Link: CVE-2024-8283

cve-icon Vulnrichment

Updated: 2024-10-01T14:08:46.127Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-30T06:15:14.603

Modified: 2024-10-07T15:49:22.043

Link: CVE-2024-8283

cve-icon Redhat

No data.