The Suki Sites Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Metrics
Affected Vendors & Products
References
History
Tue, 29 Oct 2024 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Sukiwp
Sukiwp suki Sites Import |
|
CPEs | cpe:2.3:a:sukiwp:suki_sites_import:*:*:*:*:*:*:*:* | |
Vendors & Products |
Sukiwp
Sukiwp suki Sites Import |
Fri, 18 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 18 Oct 2024 04:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Suki Sites Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |
Title | Suki Sites Import <= 1.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-10-18T04:32:50.604Z
Updated: 2024-10-18T14:17:22.521Z
Reserved: 2024-09-16T21:53:20.572Z
Link: CVE-2024-8916
Vulnrichment
Updated: 2024-10-18T14:17:17.534Z
NVD
Status : Analyzed
Published: 2024-10-18T05:15:05.857
Modified: 2024-10-29T14:37:42.877
Link: CVE-2024-8916
Redhat
No data.