exploitDog

CVE-2024-13667

Опубликовано: 18 фев. 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Ссылки

https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee188cc-2c3f-45e7-b7ce-928242035e37?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:undsgn:uncode:*:*:*:*:*:wordpress:*:*

Версия до 2.9.1.7 (исключая)

EPSS

Процентиль: 23%

0.00077

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-h3q6-j7c5-cmp5

CVSS3: 5.4

github

12 месяцев назад

The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

EPSS

Процентиль: 23%

0.00077

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79