The Editor Custom Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Metrics
Affected Vendors & Products
References
History
Mon, 28 Oct 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Rock4temps
Rock4temps editor Custom Color Palette |
|
CPEs | cpe:2.3:a:rock4temps:editor_custom_color_palette:*:*:*:*:*:*:*:* | |
Vendors & Products |
Rock4temps
Rock4temps editor Custom Color Palette |
|
Metrics |
ssvc
|
Sat, 26 Oct 2024 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Editor Custom Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |
Title | Editor Custom Color Palette <= 3.3.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-10-26T08:36:02.397Z
Updated: 2024-10-28T19:50:18.223Z
Reserved: 2024-10-08T17:48:29.235Z
Link: CVE-2024-9642
Vulnrichment
Updated: 2024-10-28T19:50:12.784Z
NVD
Status : Awaiting Analysis
Published: 2024-10-26T09:15:05.303
Modified: 2024-10-28T13:58:09.230
Link: CVE-2024-9642
Redhat
No data.