exploitDog

CVE-2024-13402

Опубликовано: 27 фев. 2025

Источник: nvd

CVSS3: 6.4

CVSS3: 5.4

EPSS Низкий

Описание

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_title’ parameter in all versions up to, and including, 2.7.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Ссылки

https://www.buddyboss.com/resources/buddyboss-platform-releases/2-8-00/
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/42743c2f-053b-4f14-bf11-865f978ec017?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:buddyboss:buddyboss_platform:*:*:*:*:*:wordpress:*:*

Версия до 2.8.00 (исключая)

EPSS

Процентиль: 23%

0.00077

Низкий

6.4 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-xcgh-pcrh-mfp2

CVSS3: 6.4

github

11 месяцев назад

The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_title’ parameter in all versions up to, and including, 2.7.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

EPSS

Процентиль: 23%

0.00077

Низкий

6.4 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79