CVE-2024-2428

The Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS

CVSS 4.7 MEDIUMEPSS 0.5%

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.7EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

10 Apr 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Affected products

Unknown · The Ultimate Video Player For WordPress

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/4832e223-4571-4b45-97db-2fd403797c49/