← volver
CVE-2024-2428

The Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS

CVSS 4.7 MEDIUMEPSS 0.5%
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.7EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
10 abr 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Productos afectados
Unknown · The Ultimate Video Player For WordPress

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://wpscan.com/vulnerability/4832e223-4571-4b45-97db-2fd403797c49/